It appears now with 4.0.0 Enterprise and Java 11 we can bind JMX to a particular address instead of broadcasting it to the world using these settings:
# Remote JMX monitoring, uncomment and adjust the following lines as needed. Absolute paths to jmx.access and # jmx.password files are required. # Also make sure to update the jmx.access and jmx.password files with appropriate permission roles and passwords, # the shipped configuration contains only a read only role called 'monitor' with password 'Neo4j'. # For more details, see: http://download.oracle.com/javase/8/docs/technotes/guides/management/agent.html # On Unix based systems the jmx.password file needs to be owned by the user that will run the server, # and have permissions set to 0600. # For details on setting these file permissions on Windows see: # http://docs.oracle.com/javase/8/docs/technotes/guides/management/security-windows.html # bind JMX to localhost only dbms.jvm.additional=-Dcom.sun.management.jmxremote.host=127.0.0.1 dbms.jvm.additional=-Dcom.sun.management.jmxremote.port=3637 dbms.jvm.additional=-Dcom.sun.management.jmxremote.authenticate=true dbms.jvm.additional=-Dcom.sun.management.jmxremote.ssl=false dbms.jvm.additional=-Dcom.sun.management.jmxremote.password.file=/opt/neo4j/conf/jmx.password dbms.jvm.additional=-Dcom.sun.management.jmxremote.access.file=/opt/neo4j/conf/jmx.access
Could we update the default conf in 4.0 to show this is possible now?