ejabberd - Comments for "howto bind epmd to one ip"

Submit your ideas to the proper place

mfoss — Sat, 05 Jun 2010 14:34:30 +0000

The Reverse Side of Spamcatcher2 wrote:

It is unbelievable unsecure to administrate a server machine without a restrictive firewall setup! And it is totaly unacceptable. Requiring to develop in each program, ensure the security/bugs of each program, and configure in each program to bind to a unique IP address to workaround a good firewall setup, seems to show a complete lack of knowledge about this topic. The whole responsibility of this administrator is more than suspitious.

spamcatcher2 wrote:

it is *required* that epmd can be configured to listen only on 127.*.*.* and / or localhost

EPMD is developed as part of Erlang/OTP, not in ejabberd. You should send your EPMD feature request to the Erlang/OTP developers. You can also write a patch that implements that feature, and propose it. Notice that EPMD is written in the well-known C language, not in the less-known Erlang language.

This feature request was already discussed in the Erlang questions mailing list three years ago: Restrict epmd to one IP address?. That discussion didn't find such option in EPMD. In the discussion, I found an interesting comment:

Per Hedeland wrote:

And btw, at least on the Unices I have used, binding to an IP address does not bind to an interface - if you bind to an address configured on eth0 and a connection to it happens to arrive on eth1, it will happily be accepted anyway (thus, depending on network topology and perceived threats, binding to a specific address may be a pretty weak protection and no substitute for a firewall - which is not to imply that epmd needs protecting:-).

If EPMD included an option to limit the IP address to only 127.0.0.1, the ejabberd developers might use it in the ejabberd start script. But I've checked now, and EPMD still doesn't have such option.

In summary, I recommend you to reconsider your feature request. If your initial idea seems still good, send an email to the erlang-questions mailing list.

It is unbelievable unsecure

spamcatcher2 — Fri, 04 Jun 2010 23:47:34 +0000

It is unbelievable unsecure to run a daemon on an open port on all available IPs!
And it is totaly unacceptable.

Recommending a firewall to work around this, seems to show a complete lack of knowledge about this topic.

So, it is *required* that epmd can be configured to listen only on 127.*.*.* and / or localhost and any required port!

As i understood this issue, epmd is even required to run ejabberd without database crashes.
This too, is unbelievable ...

The whole architecture of this software is more than suspitious.

So, i recommend the following:

Change ejabberd to listen on a local port for ejabberctl command - for example to shutdown.
BUT, also cleanly shut down that daemon after a regular signal!

If epmd is still required for communication between connected nodes, you can still allow to listen on the required IP-adress (only) and *then* use a firewall to channel the communication.

This very webpage is is made more secure with all it´s CAPTCHA codes than the ejabberd daemons ...

A firewall is not a

mremond — Sat, 04 Oct 2008 14:38:05 +0000

A firewall is not a workaround but a tool that should be configured on production machine.
Now, if you insist on not using one, you are not asking on the right place.
Please, post a feature request to www.erlang.org.

Same here

franck34 — Sat, 04 Oct 2008 13:09:45 +0000

Any progress since 2007 ?

Same Problem here. Using a

fish — Mon, 02 Jul 2007 07:08:33 +0000

Same Problem here. Using a firewall would not fix that problem, it would be at most a workaround. The best way is to bind that port to 127.0.0.1 only, thats exaclty what i want and i guess its that what drscream wants.

A firewall should normally

mremond — Sat, 20 Jan 2007 15:39:39 +0000

A firewall should normally allow you to block the traffic that you want to prevent.

--
Mickaël Rémond
Process-one

Re: howto bind epmd to one ip

zengargoyle — Sat, 20 Jan 2007 01:53:19 +0000

drscream wrote:

Is there any chance to bind 'epmd' to one ip address? If so, how?

I have a patch! http://gir.usc.edu/erlang/otp_epmd_binding.patch.gz

Set the following environment variables before epmd is started:

export ERL_EPMD_DIST_BIND=192.168.254.100
# if you also need to change the default port.
export ERL_EPMD_DIST_PORT=

It may break stuff like clustering and remote shell access, but it works for me.

I run a simple ejabberd on a shared IRC hosting provider and had to make ejabberd/epmd bind to a single IP address and specific port.

If you need further help, I'm on the ejabberd mailing list.

Has nobody an idea how to

drscream — Sat, 06 Jan 2007 16:38:31 +0000

Has nobody an idea how to bind 'epmd' to one ip address?
I think this can be a security risk if 'epmd' listen to all ips from the server...

Thank you for the

drscream — Tue, 02 Jan 2007 22:47:45 +0000

Thank you for the information.
Now I changed my ejabberd node from "ejabberd@localhost" to "ejabberd@hostname.tld" but this have no result.
The two 'epmd' ports also open on my other ip addresses:
PORT STATE SERVICE
4369/tcp open unknown
49675/tcp open unknown (change every time)

Search on the web

mfoss — Tue, 02 Jan 2007 08:28:42 +0000

drscream wrote:

(For what is 'epmd' really needed?)

'The Erlang Port Mapper Daemon epmd is automatically started at every host where an Erlang node is started. It is responsible for mapping the symbolic node names to machine addresses.'

http://www.die.net/doc/linux/man/man1/epmd.1.html

Yes, i know, but this is

drscream — Mon, 01 Jan 2007 20:52:51 +0000

Yes, i know, but this is only for ejabberd (i edit my config file ejabberd.cfg). This doesn't work for 'epmd', or 'epmd' doesn't read the config file...(?/!).

in ejabberd book

evadim — Mon, 01 Jan 2007 19:50:56 +0000

www.process-one.net/en/projects/ejabberd/docs/guide_en.html#htoc16

3.3 Listened Sockets:

{ip, IPAddress}
This option specifies which network interface to listen for. For example {ip, {192, 168, 1, 1}}.