Skip to content
ProtocolPorts

Port reference

Port 28017 (TCP) – MongoDB HTTP Status (legacy)

Legacy MongoDB HTTP status/admin page exposing server and database information.

tcpRegisteredCommonly attacked

Default state

Older MongoDB versions enabled an HTTP status interface on 28017, often on 0.0.0.0 with no authentication. It leaks database, server, and operational detail and was removed in MongoDB 3.6.

Common attacks

  • Information disclosure of databases, status, and server build details
  • Reconnaissance to pivot to the main MongoDB port (27017)
  • REST interface abuse to query data on versions where it is enabled
  • Enumeration of replica set and operational metrics

Hardening

  • Disable the HTTP status interface (--nohttpinterface) or upgrade past MongoDB 3.6
  • Bind to localhost or a private interface; never expose 28017 to the internet
  • Enable authentication on MongoDB and require TLS
  • Firewall both 28017 and 27017 to trusted hosts
  • Keep MongoDB patched and audit access

nmap snippet

nmap -p28017 --script mongodb-info <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 28017?

Port 28017 served the legacy MongoDB HTTP status interface, a built-in web page that displayed server status, databases, replica-set state, and build details. It complemented the main MongoDB wire protocol on 27017. The HTTP interface was deprecated and removed in MongoDB 3.6, so it only appears on older installations.

Why it matters for security

The status page was typically unauthenticated and bound to all interfaces, making it an easy information-disclosure target. The leaked server and database details give attackers everything they need to plan an attack against the main database on 27017, and on some versions the REST interface allowed direct data queries.

How it's attacked

Attackers scan for open 28017 and read the status page to enumerate databases, versions, and operational metrics. That reconnaissance is used to pivot to 27017 for unauthenticated access, or to abuse the REST interface where it is enabled to query data directly.

Hardening checklist

Disable the HTTP status interface (--nohttpinterface) or upgrade past MongoDB 3.6, which removes it entirely. Bind MongoDB to localhost or a private interface, enable authentication, and require TLS. Firewall both 28017 and 27017 to trusted hosts, patch regularly, and audit access. Use the nmap snippet above to detect exposed legacy interfaces on hosts you are authorized to test.

Related ports

Port 27017Port 9200Port 6379Port 11211

Frequently asked questions

What was port 28017 used for in MongoDB?
28017 served the legacy MongoDB HTTP status page, a web interface showing server status, databases, and build info. It was unauthenticated by default and removed in MongoDB 3.6, so it should be disabled and never exposed.
Is port 28017 still a risk today?
Only on legacy MongoDB installs that still run the HTTP interface. Where present, it leaks information useful for attacking the main 27017 port. Upgrade past 3.6 or disable the interface and firewall both ports.