[SERVER-28229] Bind to localhost by default Created: 07/Mar/17  Updated: 09/Mar/18  Resolved: 28/Apr/17

Status: Closed
Project: Core Server
Component/s: Networking
Affects Version/s: None
Fix Version/s: 3.5.7

Type: Improvement Priority: Major - P3
Reporter: Spencer Jackson Assignee: Spencer Jackson
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Documented
is documented by SERVER-33345 Update mongodb.conf to match current ... Closed
Gantt Dependency
Related
related to SERVER-28949 Make JSTests use the localhost networ... Open
Backwards Compatibility: Major Change
Sprint: Platforms 2017-04-17, Platforms 2017-05-08
Participants:
Linked BF Score: 0

 Description   
User Summary as of May 17, 2017

MongoDB 3.5.7 introduces a new line of protection from unauthorized access: as of this release, MongoDB servers will only listen for connections on the local host unless explicitly configured to listen on another address. The next production release, 3.6, incorporates this change.

Before changing this new default behavior, users are encouraged to review our Security Checklist.

To make MongoDB servers accept connections from remote and local sources, either:

  • Set --bind_ip 0.0.0.0 on the command line, or set the equivalent parameter, net.bindIp, in your configuration file:

    net:                                                                                                
       bindIp: 0.0.0.0
    

    Advanced deployments running on hosts with multiple network interfaces may find other values of net.bindIp useful.

or

  • Use the new mongod --bind_ip_all command line switch, or enable the equivalent parameter, net.bindIpAll, in your configuration file:

    net:                                                                                                
      bindIpAll: true
    

When MongoDB is only listening for connections on the local host, remote clients will be unable to connect. Connection attempts from remote clients may see error messages such as "Connection refused". If your MongoDB servers need to accept external network connections, please go through our Security Checklist before following the instructions above.

Original description

MongoDB binaries should bind to localhost by default. This will allow small deployments and testing environments to be used from localhost, while not being accessible from the internet.

The following changes shall be made:
1) All mongod and mongos 3.6 binaries shall bind to 127.0.0.1 by default. When the --ipv6 argument is provided, then the server should additionally bind to the IPv6 address ::1. The server may be instructed to listen to internet traffic by starting it with arguments to --bind_ip that select a routable IP or IPv6 address.
2) If no explicit bind_ip has been provided, print a startup warning indicating that the server is not responding to external connections, which describes how to fix the problem.
3) A flag --bind_ip_all will be added to the server. When set, it shall cause the server to bind to all addresses.



 Comments   
Comment by Githook User [ 28/Apr/17 ]

Author:

{u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}

Message: SERVER-28229: Bind to localhost by default
Branch: master
https://github.com/mongodb/mongo/commit/60636b4d3ae60a24c080c7250459814eef5e7c87

Comment by Githook User [ 25/Apr/17 ]

Author:

{u'username': u'kaloianm', u'name': u'Kaloian Manassiev', u'email': u'kaloian.manassiev@mongodb.com'}

Message: Revert "SERVER-28229: Bind to localhost by default"

This reverts commit d6b244fce44e6729485b1521346db6e372f6b901.
Branch: master
https://github.com/mongodb/mongo/commit/edb24708c5d6d663e9de4632137306552c55b5a1

Comment by Githook User [ 24/Apr/17 ]

Author:

{u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}

Message: SERVER-28229: Bind to localhost by default
Branch: master
https://github.com/mongodb/mongo/commit/d6b244fce44e6729485b1521346db6e372f6b901

Generated at Thu Feb 08 04:17:32 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.