Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-28229

Bind to localhost by default

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.5.7
    • Component/s: Networking
    • Labels:
      None

      Description

      User Summary as of May 17, 2017

      MongoDB 3.5.7 introduces a new line of protection from unauthorized access: as of this release, MongoDB servers will only listen for connections on the local host unless explicitly configured to listen on another address. The next production release, 3.6, incorporates this change.

      Before changing this new default behavior, users are encouraged to review our Security Checklist.

      To make MongoDB servers accept connections from remote and local sources, either:

      • Set --bind_ip 0.0.0.0 on the command line, or set the equivalent parameter, net.bindIp, in your configuration file:

        net:                                                                                                
           bindIp: 0.0.0.0
        

        Advanced deployments running on hosts with multiple network interfaces may find other values of net.bindIp useful.

      or

      • Use the new mongod --bind_ip_all command line switch, or enable the equivalent parameter, net.bindIpAll, in your configuration file:

        net:                                                                                                
          bindIpAll: true
        

      When MongoDB is only listening for connections on the local host, remote clients will be unable to connect. Connection attempts from remote clients may see error messages such as "Connection refused". If your MongoDB servers need to accept external network connections, please go through our Security Checklist before following the instructions above.

      Original description

      MongoDB binaries should bind to localhost by default. This will allow small deployments and testing environments to be used from localhost, while not being accessible from the internet.

      The following changes shall be made:
      1) All mongod and mongos 3.6 binaries shall bind to 127.0.0.1 by default. When the --ipv6 argument is provided, then the server should additionally bind to the IPv6 address ::1. The server may be instructed to listen to internet traffic by starting it with arguments to --bind_ip that select a routable IP or IPv6 address.
      2) If no explicit bind_ip has been provided, print a startup warning indicating that the server is not responding to external connections, which describes how to fix the problem.
      3) A flag --bind_ip_all will be added to the server. When set, it shall cause the server to bind to all addresses.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: