Network and Configuration Hardening

To reduce the risk exposure of the entire MongoDB system, ensure thatonly trusted hosts have access to MongoDB.

MongoDB Configuration Hardening

IP Binding

Starting with MongoDB 3.6, MongoDB binaries, mongod andmongos, bind to localhost by default.From MongoDB versions 2.6 to 3.4, only the binaries from theofficial MongoDB RPM (Red Hat, CentOS, Fedora Linux, and derivatives)and DEB (Debian, Ubuntu, and derivatives) packages would bind tolocalhost by default. To learn more about this change, seeLocalhost Binding Compatibility Changes.

Warning

Before binding to a non-localhost (e.g. publicly accessible)IP address, ensure you have secured your cluster from unauthorizedaccess. For a complete list of security recommendations, seeSecurity Checklist. At minimum, considerenabling authentication andhardening network infrastructure.

Warning

Make sure that your mongod and mongosinstances are only accessible on trusted networks. If your systemhas more than one network interface, bind MongoDB programs to theprivate or internal network interface.

For more information, see IP Binding.

HTTP Status Interface and REST API

Changed in version 3.6: MongoDB 3.6 removes the deprecated HTTP interface and REST API toMongoDB.

Network Hardening

Firewalls

Firewalls allow administrators to filter and control access to a systemby providing granular control over network communications. Foradministrators of MongoDB, the following capabilities are important:limiting incoming traffic on a specific port to specific systems andlimiting incoming traffic from untrusted hosts.

On Linux systems, the iptables interface provides access to theunderlying netfilter firewall. On Windows systems, netshcommand line interface provides access to the underlying WindowsFirewall. For additional information about firewall configuration, see:

• Configure Linux iptables Firewall for MongoDB and
• Configure Windows netsh Firewall for MongoDB.

For best results and to minimize overall exposure, ensure that _only_traffic from trusted sources can reach mongod andmongos instances and that the mongod andmongos instances can only connect to trusted outputs.

See also

For MongoDB deployments on Amazon’s web services, see theAmazon EC2 page, whichaddresses Amazon’s Security Groups and other EC2-specific securityfeatures.

Virtual Private Networks

Virtual private networks, or VPNs, make it possible to link twonetworks over an encrypted and limited-access trustednetwork. Typically, MongoDB users who use VPNs use TLS/SSL rather thanIPSEC VPNs for performance issues.

Depending on configuration and implementation, VPNs provide forcertificate validation and a choice of encryption protocols, whichrequires a rigorous level of authentication and identification of allclients. Furthermore, because VPNs provide a secure tunnel, by using aVPN connection to control access to your MongoDB instance, you canprevent tampering and “man-in-the-middle” attacks.