- Security >
- Security Concepts >
- Network Exposure and Security
Network Exposure and Security¶
On this page
By default, MongoDB programs (i.e. mongos
and
mongod
) will bind to all available network interfaces (i.e.
IP addresses) on a system.
This page outlines various runtime options that allow you to limit access to MongoDB programs.
Configuration Options¶
You can limit the network exposure with the following mongod
and mongos
configuration options:
enabled
, net.http.RESTInterfaceEnabled
, bindIp
, and
port
. You can use a configuration file to specify these settings.
nohttpinterface
¶
The enabled
setting for mongod
and
mongos
instances disables the “home” status page.
Changed in version 2.6: The mongod
and mongos
instances run with the
http interface disabled by default.
The status interface is read-only by default, and the default port for
the status page is 28017
. Authentication does not control or affect
access to this interface.
Important
Disable this interface for production deployments. If you enable this interface, you should only allow trusted clients to access this port. See Firewalls.
rest
¶
The net.http.RESTInterfaceEnabled
setting for mongod
enables a fully
interactive administrative REST interface, which is disabled
by default. The net.http.RESTInterfaceEnabled
configuration makes the http status
interface [1], which is read-only by default, fully
interactive. Use the net.http.RESTInterfaceEnabled
setting with the
enabled
setting.
The REST interface does not support any authentication and you should always restrict access to this interface to only allow trusted clients to connect to this port.
You may also enable this interface on the command line as
mongod --rest
mongod --httpinterface
.
Important
Disable this option for production deployments. If do you leave this interface enabled, you should only allow trusted clients to access this port.
[1] | Starting in version 2.6, http interface is disabled by default. |
bind_ip
¶
The bindIp
setting for mongod
and
mongos
instances limits the network interfaces on which
MongoDB programs will listen for incoming connections. You can also
specify a number of interfaces by passing bindIp
a comma
separated list of IP addresses. You can use the mongod
--bind_ip
and mongos --bind_ip
option on the command line at
run time to limit the network accessibility of a MongoDB program.
port
¶
The port
setting for mongod
and mongos
instances changes the main port on which the mongod
or
mongos
instance listens for connections. The default port is
27017
. Changing the port does not meaningfully reduce risk or limit
exposure. You may also specify this option on the command line as
mongod --port
or mongos --port
. Setting
port
also indirectly sets the port for the HTTP status
interface, which is always available on the port numbered 1000
greater than the primary mongod
port.
Only allow trusted clients to connect to the port for the
mongod
and mongos
instances. See
Firewalls.
See also Security Considerations and Default MongoDB Port.
Firewalls¶
Firewalls allow administrators to filter and control access to a system by providing granular control over what network communications. For administrators of MongoDB, the following capabilities are important: limiting incoming traffic on a specific port to specific systems, and limiting incoming traffic from untrusted hosts.
On Linux systems, the iptables
interface provides access to the
underlying netfilter
firewall. On Windows systems, netsh
command line interface provides access to the underlying Windows
Firewall. For additional information about firewall configuration, see
Configure Linux iptables Firewall for MongoDB and
Configure Windows netsh Firewall for MongoDB.
For best results and to minimize overall exposure, ensure that only
traffic from trusted sources can reach mongod
and
mongos
instances and that the mongod
and
mongos
instances can only connect to trusted outputs.
See also
For MongoDB deployments on Amazon’s web services, see the Amazon EC2 page, which addresses Amazon’s Security Groups and other EC2-specific security features.
Virtual Private Networks¶
Virtual private networks, or VPNs, make it possible to link two networks over an encrypted and limited-access trusted network. Typically, MongoDB users who use VPNs use TLS/SSL rather than IPSEC VPNs for performance issues.
Depending on configuration and implementation, VPNs provide for certificate validation and a choice of encryption protocols, which requires a rigorous level of authentication and identification of all clients. Furthermore, because VPNs provide a secure tunnel, by using a VPN connection to control access to your MongoDB instance, you can prevent tampering and “man-in-the-middle” attacks.