32

I could not understand what bind_ip in mongodb is. I could make a remote connection from desktop to the EC2 machine by having bind_ip = 0.0.0.0, but could not make it work with bind_ip = 127.0.0.1.

Please explain me what bind_ip is and why it works for 0.0.0.0 and not for 127.0.0.1.

For reference from mongodb docs:

bind_ip

Default: All interfaces.

Set this option to configure the mongod or mongos process to bind to and listen for connections from applications on this address. You may attach mongod or mongos instances to any interface; however, if you attach the process to a publicly accessible interface, implement proper authentication or firewall restrictions to protect the integrity of your database.

You may concatenate a list of comma separated values to bind mongod to multiple IP addresses.

Axe
  • 6,285
  • 3
  • 31
  • 38
GJain
  • 5,025
  • 6
  • 48
  • 82

5 Answers5

56

Everywhere it's written that you have to bind them like this

bindIp : 127.0.0.1,192.168.0.50

but it doesn't work.

how it works, in the version 3.2.0 is

bindIp : [127.0.0.1,192.168.0.50]

so try to add your ips inside the [ ]

example :

# network interfaces
net:
      port: 27017
      bindIp : [127.0.0.1,0.0.0.0]  (read what is written below in BOLD!)

However 0.0.0.0 opens up the stuff. While this is ok for TESTING, for production you should know the security implications of this setting!

OWADVL
  • 10,704
  • 7
  • 55
  • 67
  • 8
    I don't know why it is marked as not useful answer. We have spent a bunch of hours trying to understand why our MongoDB does not start, and at the end we discovered that the `bindIp` parameter requires this notation for managing multiple IPs. Logs on MongoDB are a pain in the ass. On documentation is just said: "To bind to multiple IP addresses, enter a list of comma separated values". The key is what a list means. – inigomedina Mar 09 '16 at 16:25
  • 8
    This works because it exposes the database publicly to *all* IPs. Huge security vulnerability here. – Randomblue May 04 '16 at 13:05
  • This is not the format mentioned in docs...same as Randomblue said it opens it for everyone . – rahil sharma Jun 14 '16 at 15:59
  • I am using mongo 3.0.something and its on ec2 so i have defined two interfaces like this bindIp: 127.0.0.1,172.145.1.15 (just an example) on which my mongo is listening . And in my security groups i have added filters for which ip's can connect to it. Can you please provide a link to their docs where they have mentioned you can use it like [ip1,ip2] – rahil sharma Jun 15 '16 at 09:49
  • 8
    One year later and ~25K MongoDB servers that had `0.0.0.0` are hijacked and their data lost. This answer should be updated ASAP – Panagiotis Kanavos Jan 12 '17 at 12:08
48

Before binding your server to 0.0.0.0, please be clear about the security implications of those changes: Your server will be publicly exposed to all IPs on the whole internet. Be sure to enable authentication on your server!

You can't access your machine when you bind it to 127.0.0.1 on EC2. That's not a bug, it's reasoned by the network interface bindings.

127.0.0.1 will only bind to the loopback interface (so you will only be able to access it locally), while 0.0.0.0 will bind it to all network interfaces that are available.

That's why you can access your mongodb on EC2 when you bind it to 0.0.0.0(as it's available through the internet now) and not via 127.0.0.1.

For local servers (like a WAMP or a local mongodb server) that won't look different to you, but for that case you should also thing that binding to 0.0.0.0 for local servers might make them available over all network interfaces (so it might be public for someone who knows your IP, if there is no firewall!)

Read on a similar question on Server Fault here.

ConcurrentHashMap
  • 4,998
  • 7
  • 44
  • 53
  • my answer is better, check below :) – OWADVL Dec 17 '17 at 14:54
  • upvoted but shouldnt 127.0.0.1 work if you are on the same instance? you might not be able to do remote queries using the mongo command via ssh but doesnt this make it secure? – PirateApp Jun 20 '19 at 11:25
  • 1
    @PirateApp You're right. If you want to connect from the same instance and connect to 127.0.0.1, everything will work fine. The question aimed for a solution for remote connection to the mongodb, so in those cases you need either some kind of VPN or SSH tunnel or set the bind interface to a public one. – ConcurrentHashMap Jul 04 '19 at 16:05
  • "Your server will be publicly exposed to all IPs on the whole internet" clearly depends on your firewall settings. By default it should be blocked. – Wernfried Domscheit May 07 '23 at 15:38
14

It should be clear for anyone looking up this answer that binding your mongoDB to 0.0.0.0 could be your worst move ever.

Please read up on the following article and make sure that whenever you DO decide to go all public with your (and your customers) data, you consider the following:

  • Do you have additional firewall rules to decide who or what can
    access your service
  • Understand that when using Amazon EC2, if you allow 'internal' traffic it should be considered the same as putting it wide open, you are not alone at Amazon
  • Are your services password protected ? And what kind of authentication ? Is the data submitted in clear text or using
    encryption
  • Are you using the default database names, or have you copy pasted an example?
Sam Hermans
  • 209
  • 3
  • 2
  • 2
    This does not provide an answer to the question. To critique or request clarification from an author, leave a comment below their post - you can always comment on your own posts, and once you have sufficient [reputation](http://stackoverflow.com/help/whats-reputation) you will be able to [comment on any post](http://stackoverflow.com/help/privileges/comment). - [From Review](/review/low-quality-posts/10613323) – Blackwood Dec 18 '15 at 16:06
  • 2
    @Blackwood I suspect that you'd want to reconsider this in the wake of ~25K MongoDB ransom attacks. This is probably the most helpful answer – Panagiotis Kanavos Jan 12 '17 at 12:02
  • 1
    @PanagiotisKanavos I have reviewed the question and while this may be good advice, it is not an answer to the question. – Blackwood Jan 12 '17 at 15:16
2

For linking to local Mongo db installation (dev environment), I found following 3 step process much easier - and it worked.

  1. docker run -d -p 27017-27019:27017-27019 --name mongodb mongo

  2. docker exec -it mongodb bash

  3. mongo (voilla - you are in i.e. connected to Mongo dab)

Source: https://www.thepolyglotdeveloper.com/2019/01/getting-started-mongodb-docker-container-deployment/

fawad sheikh
  • 21
  • 2
0

When setting is bindIp: 127.0.0.1 (or bindIp: localhost) then mongod listens only to loopback IP, this means you can connect only from the local machine where mongod is running.

When setting is bindIp: 0.0.0.0 (or bindIpAll: true) then mongod listens to all IP's, this means you can connect from any remote computer - unless the connection is blocked by your firewall.

Note, localhost is an alias which may resolve to IPv4 address 127.0.0.1 or to IPv6 address ::1, see Can't connect to MongoDB 6.0 Server locally using Nodejs driver

Wernfried Domscheit
  • 54,457
  • 9
  • 76
  • 110