Reputation: 99
How to disable MongoDB TCP port?
How to disable TCP port?
Configure only unix socket.
For isolation of local users.
Upvotes: 6
Views: 1550
Answers (3)
Reputation: 1233
Late to the game but for future viewers you can disable tcp by using a bindIP to a socket file.
For example:
net:
port: 8080
# socket filename has port in it
bindIp: /var/tmp/mongodb/mongodb-8080.sock
unixDomainSocket:
pathPrefix: /var/tmp/mongodb
If I start mongo and run lsof -i :8080 I don't see mongo listening on that port.
Upvotes: 1
Reputation: 1155
This is a 5 year old bug at least. The only issue I found was closed as WONTFIX and RTFM, but this issue logged against 2.4 here somewhat relates to the issue: https://jira.mongodb.org/browse/SERVER-9383.
MongoDB will refuse to create the unix domain socket unless the IPV4 IP Address is either 127.0.0.1 or 0.0.0.0. You don't get to run it on one interface or disable it (for reasons unstated). To me it's a reflection of the quality of the MongoDB code.
I traced the code back to 2011 and my belief is that it was a crude hack to prevent you from accidentally have 2 mongodb processes trying to create the same socket file. If you ran one instance on 192.168.1.1:27017 and 192.168.1.2:27017, they would both try to create the same socket file at: /tmp/mongod-27017.sock. Since no one at 10gen has a clue as to why that check is in there, no one has fixed it since 2011. It's easy to check that 127.0.0.1:27017 is already in use, because of EADDRINUSE, but it's hard to check that your socket file is stale or if another process created it. I'm not sure why they didn't just name the socket file differently.
See the code here: https://github.com/mongodb/mongo/blob/r2.2.4/src/mongo/util/net/listen.cpp#L91
if (useUnixSockets && (sa.getAddr() == "127.0.0.1" || sa.getAddr() == "0.0.0.0")) // only IPv4
out.push_back(SockAddr(makeUnixSockPath(port).c_str(), port));
Upvotes: 3
Reputation: 151112
I can understand that your concern here is with security in your setup but it is worth considering that MongoDB is built by design to interact in clustered systems and hence TCP networking is part of that design. That said, and as you are aware, there is by default a unix domain socket connection you can use for local access.
You can use the '--bind_ip' configuration option to bind to the loopback only ('127.0.0.1') or only the interface you wish to use, as mongod will by default bind to all available interfaces. For a full list of startup options you might want to look at the manual page to determine what you need.
For other security you can refer to your firewall rules.
Upvotes: 1
Related Questions
- How to listen only to localhost on MongoDB
- How to connect to Mongo db server remotely through its default ports?
- How to disable remote connections to MongoDB?
- Changed MongoDB port but still tries default port
- mongodb how to change default port
- How to configure new port for mongodb
- protect mongodb ports with iptables
- configure mongodb only accept remote connection comes from LAN
- preventing mongodb from accepting non-local connections
- How to close all connections to the MongoDB server