Port 27017 · MongoDB

What runs on port 27017

MongoDB is a document database. Default service binds to TCP/27017. Versions before 3.6 bound to `0.0.0.0` by default, exposing the database on every interface; later versions bind to localhost unless explicitly reconfigured. Authentication is optional and disabled out of the box.

Why public exposure is dangerous

Exposed unauthenticated MongoDB instances led to multiple mass-ransom campaigns in 2017 — attackers dropped every database, replaced it with a 'pay us to restore' note, and held thousands of small-business databases hostage. Even with authentication, a weak `admin` password lets an attacker read or destroy every collection.

How to lock it down

Set `bindIp: 127.0.0.1` in `mongod.conf` for local-only access, or to a private-network interface. Enable authentication with `security.authorization: enabled` and create a strong-password admin user before exposing the database to any application server. Use TLS for client connections. Host firewall as belt-and-suspenders.

When public exposure is legitimate

Internal-network access from application servers. Public exposure is essentially never appropriate; managed MongoDB services (Atlas) expose connections through their own gateway with mandatory TLS and IP allowlists.

Other ports DomainCare scans

• :3306 MySQL — MySQL listens on port 3306 by default. Public exposure is a critical data-leak risk.
• :5432 PostgreSQL — PostgreSQL listens on port 5432 by default. Public exposure is a critical data-leak risk equivalent to MySQL.
• :6379 Redis — Redis listens on port 6379 by default. Public exposure historically allows unauthenticated arbitrary code execution.
• :9200 Elasticsearch — Elasticsearch listens on port 9200 by default. Public exposure exposes the entire indexed dataset to any internet user.