- Security >
- Security Concepts >
- Network Exposure and Security
Network Exposure and Security¶
On this page
By default, MongoDB programs (i.e. mongos
and
mongod
) will bind to all available network interfaces (i.e.
IP addresses) on a system.
This page outlines various runtime options that allow you to limit access to MongoDB programs.
Configuration Options¶
You can limit the network exposure with the following mongod
and and mongos
configuration options:
nohttpinterface
, rest
, bind_ip
, and
port
. You can use a configuration file to specify these settings.
nohttpinterface
¶
The nohttpinterface
setting for mongod
and
mongos
instances disables the “home” status page, which
would run on port 28017
by default. The status interface is
read-only by default. You may also specify this option on the command
line as mongod --nohttpinterface
or mongos
--nohttpinterface
.
Authentication does not control or affect access to this interface.
Important
Disable this option for production deployments. If you do leave this interface enabled, you should only allow trusted clients to access this port. See Firewalls.
rest
¶
The rest
setting for mongod
enables a fully
interactive administrative REST interface, which is disabled
by default. The status interface, which is enabled by default, is
read-only. This configuration makes that interface fully interactive.
The REST interface does not support any authentication and you should
always restrict access to this interface to only allow trusted clients
to connect to this port.
You may also enable this interface on the command line as
mongod --rest
.
Important
Disable this option for production deployments. If do you leave this interface enabled, you should only allow trusted clients to access this port.
bind_ip
¶
The bind_ip
setting for mongod
and
mongos
instances limits the network interfaces on which
MongoDB programs will listen for incoming connections. You can also
specify a number of interfaces by passing bind_ip
a comma
separated list of IP addresses. You can use the mongod
--bind_ip
and mongos --bind_ip
option on the command line at
run time to limit the network accessibility of a MongoDB program.
port
¶
The port
setting for mongod
and mongos
instances changes the main port on which the mongod
or
mongos
instance listens for connections. The default port is
27017
. Changing the port does not meaningfully reduce risk or limit
exposure. You may also specify this option on the command line as
mongod --port
or mongos --port
. Setting
port
also indirectly sets the port for the HTTP status
interface, which is always available on the port numbered 1000
greater than the primary mongod
port.
Only allow trusted clients to connect to the port for the
mongod
and mongos
instances. See
Firewalls.
See also Security Considerations and Default MongoDB Port.
Firewalls¶
Firewalls allow administrators to filter and control access to a system by providing granular control over what network communications. For administrators of MongoDB, the following capabilities are important: limiting incoming traffic on a specific port to specific systems, and limiting incoming traffic from untrusted hosts.
On Linux systems, the iptables
interface provides access to the
underlying netfilter
firewall. On Windows systems, netsh
command line interface provides access to the underlying Windows
Firewall. For additional information about firewall configuration, see
Configure Linux iptables Firewall for MongoDB and
Configure Windows netsh Firewall for MongoDB.
For best results and to minimize overall exposure, ensure that only
traffic from trusted sources can reach mongod
and
mongos
instances and that the mongod
and
mongos
instances can only connect to trusted outputs.
See also
For MongoDB deployments on Amazon’s web services, see the Amazon EC2 page, which addresses Amazon’s Security Groups and other EC2-specific security features.
Virtual Private Networks¶
Virtual private networks, or VPNs, make it possible to link two networks over an encrypted and limited-access trusted network. Typically MongoDB users who use VPNs use SSL rather than IPSEC VPNs for performance issues.
Depending on configuration and implementation, VPNs provide for certificate validation and a choice of encryption protocols, which requires a rigorous level of authentication and identification of all clients. Furthermore, because VPNs provide a secure tunnel, by using a VPN connection to control access to your MongoDB instance, you can prevent tampering and “man-in-the-middle” attacks.