6.1 Ensure that the HTTP status interface is disabled

Information

MongoDB by default provides an HTTP interface running on port 28017 to provide the home status page. This page provides certain critical information about the databases statistics and clients.

Please note that this function has been Deprecated since version 3.2.

Rationale:

An attacker could access the status page to learn more about the MongoDB server and determine how to compromise it.

Solution

Disable the HTTP status interface by setting nohttpinterface = True in the /etc/mongod.conf file.

Default Value:

Enabled

See Also

https://workbench.cisecurity.org/files/168

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b.

Plugin: Windows

Control ID: 79b6d5b999325d805bb147a815c91db1b42a55a0f24ec02e1e2cf5a373605433