Skip to content
PortsDB

Port reference

Port 27017 (TCP) – MongoDB

Default port for the MongoDB NoSQL document database.

tcpRegisteredCommonly attacked

Default state

Older MongoDB versions bound to 0.0.0.0 with no authentication enabled by default. Modern packages bind to localhost and require auth, but countless legacy and misconfigured instances remain open.

Common attacks

  • Unauthenticated access to read, dump, or delete entire databases
  • Ransom attacks that wipe data and leave a payment note
  • NoSQL injection from exposed application layers
  • Information disclosure of collections and credentials

Hardening

  • Bind to localhost or a private interface (bindIp); never expose 27017 to the internet
  • Enable authentication (--auth) and role-based access control
  • Enforce strong, unique credentials and least-privilege roles
  • Require TLS for client and intra-cluster traffic; firewall to trusted hosts
  • Keep MongoDB patched and audit access

nmap snippet

nmap -p27017 --script mongodb-info,mongodb-databases <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 27017?

Port 27017 is the default for MongoDB, a popular NoSQL document database. Application servers and admin tools such as mongosh and Compass connect over 27017 to read and write JSON-like documents in collections that frequently back web and mobile applications.

Why it matters for security

MongoDB is the textbook example of database exposure gone wrong. Older versions bound to all interfaces with authentication disabled by default, so anyone who could reach 27017 had full access. This produced some of the largest open- database breaches on record, followed by waves of ransom attacks that wiped collections and demanded payment for their return.

How it's attacked

Attackers scan for open 27017 and connect without credentials. They enumerate and dump every database, exfiltrating sensitive data, then frequently delete the collections and leave a ransom note. Where the database backs a web app, NoSQL injection can also be used to bypass authentication or extract data.

Hardening checklist

Bind MongoDB to localhost or a private interface via bindIp and keep 27017 off the public internet, behind a firewall or VPN. Enable authentication (--auth) with role-based access control, enforce strong unique credentials and least-privilege roles, and require TLS for client and cluster traffic. Patch regularly and audit access. Use the nmap snippet above to detect open, unauthenticated instances on hosts you are authorized to test.

Related ports

Port 9200Port 6379Port 11211Port 3306

Frequently asked questions

Is it safe to expose MongoDB on port 27017?
No. Open MongoDB instances caused some of the largest data breaches and ransom waves on record. Bind to localhost or a private network, enable --auth, require TLS, and firewall the port.
Why were so many MongoDB databases ransomed?
Older defaults bound to all interfaces with no authentication, so anyone could connect, dump, and delete the data, then leave a ransom note demanding payment for its return.