MongoDB - insecure by design

[Mareike Hassler]

40.000 sites running MongoDB completely open:

http://www.information-age.com/technology/security/123459001/major-security-alert-40000-mongodb-databases-left-unsecured-internet#sthash.9gVPXUh3.dpuf

http://cispa.saarland/mongodb/

Why is this?

Insecurity is a build-in feature of MongoDB. No default password, listening on all IP addresses by default.

The human factor: obviously 40.000 administrators are in the wild that are unable or incompetent

performing basic security operations like changing the bind IP address or configuring basics like

open ports in a firewall.

Why? In the quality of IT people of the last years goes down and down. Idiots that hardly

can spell their own names feel blessed doing database related work. Copy & paste culture...

running systems in the public without having reasonable background about networks,

IT security etc. 

Cheers

MH

[Will Berkeley]

Hi Mareike. Let me direct you to a response written by Eliot Horowitz, MongoDB's CTO, about MongoDB Security Best Practices.

-Will

--
You received this message because you are subscribed to the Google Groups "mongodb-user"
group.
 
For other MongoDB technical support options, see: http://www.mongodb.org/about/support/.
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user...@googlegroups.com.
To post to this group, send email to mongod...@googlegroups.com.
Visit this group at http://groups.google.com/group/mongodb-user.
To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/6c5ff5fc-6a7d-4e82-94b0-b8ab907520f3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.