MongoDB takes security very seriously. Recently a blog post discussed the fact that there are unsecured instances of MongoDB running openly on the internet. As the post caused some discussion online, we wanted to take the chance to reaffirm our security best practices.
Readers who are concerned about access to their systems are reminded of the following resources:
- The most popular installer for MongoDB (RPM) limits network access to localhost by default.
- Security is addressed in detail in our Security Manual.
- The Security Checklist discusses limiting network exposure. Note that the method to do this will vary depending on where the service is hosted (AWS, Azure, locally, etc).
- Additionally, users of MongoDB Cloud Manager as well as MongoDB Ops Manager can enable alerts to detect if their deployment is internet exposed (see figure below).
- A discussion on security is provided in two parts. Part 1 covers Design and Configuration. Part II covers 10 mistakes that can compromise your database.
- A recording of a webinar on Securing your MongoDB Deployment is available along with slides. We encourage users who have experienced a security incident with MongoDB to create a vulnerability report.
How to create a new alert to notify of host being exposed to the public internet.
If you are interested in learning more about security best practices watch our on demand webinar.
About the Author - Kelly, VP of Strategy
Kelly Stirman is the VP of Strategy at MongoDB. Kelly works closely with customers, partners and the open-source community to articulate how MongoDB is quickly becoming the world's most popular database. For over 15 years he has worked at the forefront of database technologies. Prior to MongoDB, Kelly served in executive and leadership roles at Hadapt, MarkLogic, PeopleSoft, GE, and PricewaterhouseCoopers.