Every database, other than maybe local development servers, should be set up with the following in the mongod.conf file:
auth = true
SSL should be always enabled, as described in the relevant Chapter 7, Monitoring, Backup and Security.
REST and HTTP status interfaces should be disabled by adding the following lines in mongod.conf:
nohttpinterface = true
rest = false
Access should be restricted only between application servers and MongoDB servers and only in the interfaces that are needed. Using bind_ip we can force MongoDB to listen to specific interfaces instead of the default bind to every interface-available behavior:
bind_ip = 10.10.0.10,10.10.0.20