MongoDB server can still be accessed without credentials

Authentication prevents you from performing actions on the database (as your screenshot shows - you can't even list databases), it doesn't prevent connections - after all, you have to be able to connect to be able to authenticate.

There is a feature request to add timeouts, but for now this is essentially how the server is meant to behave.

It's worth noting that up until you try to do something, this is really no different than just connecting to the port with telnet - the text displayed at the start "connecting to:" etc. is from the client, not the server. As soon as it tries to do anything unauthenticated, even list the server warnings, an error is thrown because it does not have sufficient permissions.

If you want to lock down things from a connection perspective, the only option from a MongoDB perspective is to restrict the IP addresses it listens on (default is all) using the bindIp option. Using 127.0.0.1 would lock it down to local usage for example (but you would then be unable to connect from a remote host), which makes replication an issue so be careful when choosing your bound address.

Outside MongoDB, you should look at locking things down from a firewall perspective. On Linux this would be IPTables, ufw, hosts.allow/deny or similar. Windows firewall is not my area of expertise, but I would imagine you can do similar there also.

Although you can protect your databases by enabling authentication in security section of the mongo.conf file like this:

security:
  authorization: enabled