"Does anyone know of a "security checklist" one could follow for mongodb?"
Firewall, on the local machine ALL ports except for the ones that you expect to be accessed remotely.
This is for all hosts - even your laptop. Never mind mongo.
There is no reason at all to leave inbound ports open for requests you don't expect to service.
Further, and I know this makes peoples heads spin and they foam at the mouth, but for ports you do need open, but don't serve the public (ssh, for instance) set up a port knock. Now it's invisible and you don't care about the 0day for that service.[1]
[1] Stop. Take a deep breath. Re-read the above post and realize that I did not say to remove your login passwords and keys and rely on only the port knock for security. Take another deep breath. It's going to be OK.
The trick is to never assume that anything you're running is secure. Because nothing ever is these days.
So the usual rules apply: (1) have a firewall with only the bare minimum ports open, (2) make sure everything you are running is on unusual ports especially SSH, (3) VPN, jump hosts or port knocking if you need remote access, (4) use something like Fail2Ban or Sentry.
The unusual ports thing is just a total waste of time. If someone wants in they are not going to brute force your ssh password over the network unless you've use stupidly simple passwords. They might get a targeted attack via reused passwords, which an unusual port won't stop either. If you can't control that then use 2FA or force use of ssh keys.
True, but it doesn't stop people (and worms) from trying endlessly and filling you logs with tons of rubbish that makes it hard to spot the real threats.
I have not used mongodb in any production environment but it would be nice to know what one should do to make it secure.