[dx034]

Many database systems are by default only exposed to localhost, you'd have to specifically change the settings to be able to talk to it from outside. That's at least the case for Postgres and MSSQL, not sure about MySQL.

I don't see any reason that a database should allow to listen to any address without authentication. There shouldn't be a real world application requiring this.

[nkozyra]

MySQL is the same with bind-address. If someone chooses to expose a db/store to the world, it would be nice if there was some automatic auth enabled. This isn't Mongo-specific, Elasticsearch is the same way.

[martinald]

Agreed. I think it should only work in non-auth mode if you're binding to localhost/loopback but if you go for any other interface it bombs out if auth isn't enabled. Have a flag if you want to override that (if you are doing some other sort of clever auth that the instance can't tell itself), but these defaults are really dumb IMO.

[Xylakant]

ES did have the same default, but that changed in 2.0. Since then the default is to bind to localhost only. However, ES does not at all provide any authentication without a plugin.

[agopaul]

In MySQL you have to change the bind-address but also allow the user to access from any IP (%) in order to access from any IP. Opening the service to the whole web is not enough

[nkozyra]

True, and hopefully if/when people do that they're not GRANT to '%'@'%' or whatever, but I figure if you're not going to bother to tunnel who knows what other silly things you might do.

And this is case in point.