Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. Open port 27017: MongoDB

Author: Government Digital Service

Open port 27017: MongoDB

What this means

MongoDB is a NoSQL database that runs on port 27017 by default.

When this port is left open to the internet without proper authentication or firewall rules, it can allow an attacker to connect to the database.

An open MongoDB port means that the database is publicly accessible, potentially exposing sensitive data to unauthorised users.

Why this is a problem

Having a MongoDB port open on an untrusted network can lead to severe security risks, including:

  • unauthorised access where attackers can connect to the database, view, modify, or even delete data
  • data breaches where sensitive information such as user credentials, personal details, and business records can be exposed
  • ransom attacks where cyber criminals have been known to erase databases and leave ransom notes demanding payment for data restoration
  • malware injection where attackers can inject malicious scripts or use the database as part of a botnet

How to check if the problem is there

Check Open HTTPS Ports

Run the following command to check whether your MongoDB instance is exposed.

Using Netstat (Linux/Mac):

netstat -tulnp | grep 27017

If MongoDB is listening on 0.0.0.0, it means it is accessible from any IP address.

Using Nmap (Linux/Mac/Windows):

nmap -p 27017 <your-server-ip>

If the port is open, it will be listed in the scan results.

Query firewall access lists:

Open the perimeter firewall access lists and check for an inbound allow rule for port 27017.

How to fix this

To limit access to MongoDB ports and reduce the attack surface, the following actions can be taken.

Limit network exposure

Limit network exposure by carrying out the following:

  • ensure that MongoDB runs in a trusted network environment and configure firewall or security groups to control inbound and outbound traffic for your MongoDB instances
  • disable direct SSH root access
  • allow only trusted clients to access the network interfaces and ports on which MongoDB instances are available
  • install behind a firewall with access control lists to limit connections

Enable access control and enforce authentication

Enable access control and enforce authentication by carrying out the following:

  • enable access control and specify an authentication mechanism
  • create a user admin first, then create additional users
  • create a unique MongoDB user for each person/application that accesses the system
  • follow the principle of least privilege and create roles that define the exact access rights required by a set of users

Use encryption

Use encryption by carrying out the following:

  • configure MongoDB to use TLS/SSL for all incoming and outgoing connections
  • encrypt data in transit and at rest
  • collect logs to a central log store – these logs contain database authentication attempts including source IP addresses

Audit system activity

Track access and changes to database configurations and data.

MongoDB Enterprise includes a system auditing facility that can record system events (including user operations and connection events) on a MongoDB instance.

These audit records permit forensic analysis and allow administrators to exercise proper controls. You can set up filters to record only specific events, such as authentication events.

Run MongoDB with a dedicated user

Run MongoDB processes with a dedicated operating system user account.

Ensure that the account has permissions to access data but no unnecessary permissions.

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now