-
Type: Improvement
-
Resolution: Done
-
Priority: Major - P3
-
Affects Version/s: None
-
Component/s: Networking
-
None
-
Major Change
-
Platforms 2017-04-17, Platforms 2017-05-08
-
0
MongoDB 3.5.7 introduces a new line of protection from unauthorized access: as of this release, MongoDB servers will only listen for connections on the local host unless explicitly configured to listen on another address. The next production release, 3.6, incorporates this change.
Before changing this new default behavior, users are encouraged to review our Security Checklist.
To make MongoDB servers accept connections from remote and local sources, either:
- Set --bind_ip 0.0.0.0 on the command line, or set the equivalent parameter, net.bindIp, in your configuration file:
net: bindIp: 0.0.0.0
Advanced deployments running on hosts with multiple network interfaces may find other values of net.bindIp useful.
or
- Use the new mongod --bind_ip_all command line switch, or enable the equivalent parameter, net.bindIpAll, in your configuration file:
net: bindIpAll: true
When MongoDB is only listening for connections on the local host, remote clients will be unable to connect. Connection attempts from remote clients may see error messages such as "Connection refused". If your MongoDB servers need to accept external network connections, please go through our Security Checklist before following the instructions above.
Original description
MongoDB binaries should bind to localhost by default. This will allow small deployments and testing environments to be used from localhost, while not being accessible from the internet.
The following changes shall be made:
1) All mongod and mongos 3.6 binaries shall bind to 127.0.0.1 by default. When the --ipv6 argument is provided, then the server should additionally bind to the IPv6 address ::1. The server may be instructed to listen to internet traffic by starting it with arguments to --bind_ip that select a routable IP or IPv6 address.
2) If no explicit bind_ip has been provided, print a startup warning indicating that the server is not responding to external connections, which describes how to fix the problem.
3) A flag --bind_ip_all will be added to the server. When set, it shall cause the server to bind to all addresses.
- is documented by
-
SERVER-33345 Update mongodb.conf to match current bindIpAll and bindIp behavior
- Closed
- related to
-
SERVER-28949 Make JSTests use the localhost network interface
- Open