To reduce the risk exposure of the entire MongoDB system, ensure that only trusted hosts have access to MongoDB.
Starting with MongoDB 3.6, MongoDB binaries,
mongos, bind to
localhost by default.
From MongoDB versions 2.6 to 3.4, only the binaries from the
official MongoDB RPM (Red Hat, CentOS, Fedora Linux, and derivatives)
and DEB (Debian, Ubuntu, and derivatives) packages would bind to
localhost by default. To learn more about this change, see
Localhost Binding Compatibility Changes.
For more information, see IP Binding.
Changed in version 3.6: MongoDB 3.6 removes the deprecated HTTP interface and REST API to MongoDB.
Firewalls allow administrators to filter and control access to a system by providing granular control over network communications. For administrators of MongoDB, the following capabilities are important: limiting incoming traffic on a specific port to specific systems and limiting incoming traffic from untrusted hosts.
On Linux systems, the
iptables interface provides access to the
netfilter firewall. On Windows systems,
command line interface provides access to the underlying Windows
Firewall. For additional information about firewall configuration, see:
For best results and to minimize overall exposure, ensure that only
traffic from trusted sources can reach
mongos instances and that the
mongos instances can only connect to trusted outputs.
Virtual private networks, or VPNs, make it possible to link two networks over an encrypted and limited-access trusted network. Typically, MongoDB users who use VPNs use TLS/SSL rather than IPSEC VPNs for performance issues.
Depending on configuration and implementation, VPNs provide for certificate validation and a choice of encryption protocols, which requires a rigorous level of authentication and identification of all clients. Furthermore, because VPNs provide a secure tunnel, by using a VPN connection to control access to your MongoDB instance, you can prevent tampering and "man-in-the-middle" attacks.