Hacker News new | ask | show | jobs
by eli 3835 days ago
i.e. the default configuration

But yeah, that's not good.
2 comments
nacs 3835 days ago
> i.e. the default configuration

The default configuration for MongoDB is to listen on localhost only. Someone changed the configuration if it was listening on a public IP.

link
drzaiusapelord 3835 days ago
This is only true after the Mongo people were lambasted on the web for having such a terribly insecure out of the box product. Which was fairly recently. For years the product would bind to all IP addresses. Which is insane for a default install.

Feb 2015:

Discovered 40,000 vulnerable MongoDB databases on the Internet

http://securityaffairs.co/wordpress/33487/hacking/40000-vuln...

The changes were made after this, so we're only talking a few months now.

link
gruez 3835 days ago
>The default configuration for MongoDB is to listen on localhost only

That's true, but I remember that change was only made recently. Before, mongo would listen on all IPs and had no passwords.

link
eli 3835 days ago
Some official distributions listened to all addresses by default (by design) until recently. https://blog.shodan.io/its-the-data-stupid/
link
dpina 3835 days ago
Oh I see. Assumed it was like mysql/mariadb where secure_installation by default asks to remove access from outside.

It also implies frontend server includes the DB, typically a sysadmin would de-couple it so this shows lack of experience.

link