[mrweasel]

It's fascinating that someone installs and configures MongoDB and doesn't stop to think: "Hey, maybe this shouldn't be exposed directly to the internet". I mean you wouldn't do that with something like MySQL.

Some sort of analysis of the purpose of these directly exposed MongoDB instances could be interesting. Are they being used as a backend for JavaScript applications?

[dx034]

Many database systems are by default only exposed to localhost, you'd have to specifically change the settings to be able to talk to it from outside. That's at least the case for Postgres and MSSQL, not sure about MySQL.

I don't see any reason that a database should allow to listen to any address without authentication. There shouldn't be a real world application requiring this.

[nkozyra]

MySQL is the same with bind-address. If someone chooses to expose a db/store to the world, it would be nice if there was some automatic auth enabled. This isn't Mongo-specific, Elasticsearch is the same way.

[martinald]

Agreed. I think it should only work in non-auth mode if you're binding to localhost/loopback but if you go for any other interface it bombs out if auth isn't enabled. Have a flag if you want to override that (if you are doing some other sort of clever auth that the instance can't tell itself), but these defaults are really dumb IMO.

[Xylakant]

ES did have the same default, but that changed in 2.0. Since then the default is to bind to localhost only. However, ES does not at all provide any authentication without a plugin.

[agopaul]

In MySQL you have to change the bind-address but also allow the user to access from any IP (%) in order to access from any IP. Opening the service to the whole web is not enough

[nkozyra]

True, and hopefully if/when people do that they're not GRANT to '%'@'%' or whatever, but I figure if you're not going to bother to tunnel who knows what other silly things you might do.

And this is case in point.

[ryanlol]

> I mean you wouldn't do that with something like MySQL.

Oh yeah? I dumped over 40TB of data from open MySQL instances. --skip-grant-tables is probably the most common advice for resetting your MySQL root password.

[anacrolix]

Yeah but webscale apps aren't vulnerable.