OPTIONS

Network Exposure and Security

By default, MongoDB programs (i.e. mongos and mongod) will bind to all available network interfaces (i.e. IP addresses) on a system.

This page outlines various runtime options that allow you to limit access to MongoDB programs.

Configuration Options

You can limit the network exposure with the following mongod and mongos configuration options: enabled, net.http.RESTInterfaceEnabled, bindIp, and port. You can use a configuration file to specify these settings.

nohttpinterface

The enabled setting for mongod and mongos instances disables the “home” status page.

Changed in version 2.6: The mongod and mongos instances run with the http interface disabled by default.

The status interface is read-only by default, and the default port for the status page is 28017. Authentication does not control or affect access to this interface.

Important

Disable this interface for production deployments. If you enable this interface, you should only allow trusted clients to access this port. See Firewalls.

rest

The net.http.RESTInterfaceEnabled setting for mongod enables a fully interactive administrative REST interface, which is disabled by default. The net.http.RESTInterfaceEnabled configuration makes the http status interface [1], which is read-only by default, fully interactive. Use the net.http.RESTInterfaceEnabled setting with the enabled setting.

The REST interface does not support any authentication and you should always restrict access to this interface to only allow trusted clients to connect to this port.

You may also enable this interface on the command line as mongod --rest --httpinterface.

Important

Disable this option for production deployments. If do you leave this interface enabled, you should only allow trusted clients to access this port.

[1]Starting in version 2.6, http interface is disabled by default.

bind_ip

The bindIp setting for mongod and mongos instances limits the network interfaces on which MongoDB programs will listen for incoming connections. You can also specify a number of interfaces by passing bindIp a comma separated list of IP addresses. You can use the mongod --bind_ip and mongos --bind_ip option on the command line at run time to limit the network accessibility of a MongoDB program.

Important

Make sure that your mongod and mongos instances are only accessible on trusted networks. If your system has more than one network interface, bind MongoDB programs to the private or internal network interface.

port

The port setting for mongod and mongos instances changes the main port on which the mongod or mongos instance listens for connections. The default port is 27017. Changing the port does not meaningfully reduce risk or limit exposure. You may also specify this option on the command line as mongod --port or mongos --port. Setting port also indirectly sets the port for the HTTP status interface, which is always available on the port numbered 1000 greater than the primary mongod port.

Only allow trusted clients to connect to the port for the mongod and mongos instances. See Firewalls.

See also Security Considerations and Default MongoDB Port.

Firewalls

Firewalls allow administrators to filter and control access to a system by providing granular control over what network communications. For administrators of MongoDB, the following capabilities are important: limiting incoming traffic on a specific port to specific systems, and limiting incoming traffic from untrusted hosts.

On Linux systems, the iptables interface provides access to the underlying netfilter firewall. On Windows systems, netsh command line interface provides access to the underlying Windows Firewall. For additional information about firewall configuration, see Configure Linux iptables Firewall for MongoDB and Configure Windows netsh Firewall for MongoDB.

For best results and to minimize overall exposure, ensure that only traffic from trusted sources can reach mongod and mongos instances and that the mongod and mongos instances can only connect to trusted outputs.

See also

For MongoDB deployments on Amazon’s web services, see the Amazon EC2 page, which addresses Amazon’s Security Groups and other EC2-specific security features.

Virtual Private Networks

Virtual private networks, or VPNs, make it possible to link two networks over an encrypted and limited-access trusted network. Typically MongoDB users who use VPNs use SSL rather than IPSEC VPNs for performance issues.

Depending on configuration and implementation, VPNs provide for certificate validation and a choice of encryption protocols, which requires a rigorous level of authentication and identification of all clients. Furthermore, because VPNs provide a secure tunnel, by using a VPN connection to control access to your MongoDB instance, you can prevent tampering and “man-in-the-middle” attacks.