Network and Configuration Hardening
On this page
To reduce the risk exposure of the entire MongoDB system, ensure that only trusted hosts have access to MongoDB.
MongoDB Configuration Hardening
IP Binding
MongoDB binaries, mongod
and
mongos
, bind to localhost
by default.
Warning
Before you bind your instance to a publicly-accessible IP address, you must secure your cluster from unauthorized access. For a complete list of security recommendations, see Security Checklist. At minimum, consider enabling authentication and hardening network infrastructure.
Warning
For more information, see IP Binding.
HTTP Status Interface and REST API
Changed in version 3.6: MongoDB 3.6 removes the deprecated HTTP interface and REST API to MongoDB.
Network Hardening
Firewalls
Firewalls allow administrators to filter and control access to a system by providing granular control over network communications. For administrators of MongoDB, the following capabilities are important: limiting incoming traffic on a specific port to specific systems and limiting incoming traffic from untrusted hosts.
On Linux systems, the iptables
interface provides access to the
underlying netfilter
firewall. On Windows systems, netsh
command line interface provides access to the underlying Windows
Firewall. For additional information about firewall configuration, see:
For best results and to minimize overall exposure, ensure that only
traffic from trusted sources can reach mongod
and
mongos
instances and that the mongod
and
mongos
instances can only connect to trusted outputs.
Virtual Private Networks
Virtual private networks, or VPNs, make it possible to link two networks over an encrypted and limited-access trusted network. Typically, MongoDB users who use VPNs use TLS/SSL rather than IPSEC VPNs for performance issues.
Depending on configuration and implementation, VPNs provide for certificate validation and a choice of encryption protocols, which requires a rigorous level of authentication and identification of all clients. Furthermore, because VPNs provide a secure tunnel, by using a VPN connection to control access to your MongoDB instance, you can prevent tampering and "man-in-the-middle" attacks.
Disable IP Forwarding
IP forwarding allows servers to forward packets to other systems. Disable this
feature on servers that host mongod
.
To disable IP forwarding on Linux, use the sysctl
command:
sudo sysctl -w net.ipv4.ip_forward=0
To make the change persistent, edit the /etc/sysctl.conf
file to add
this line:
net.ipv4.ip_forward = 0
IP forwarding is disabled by default on Windows.