howto bind epmd to one ip

Hello,

I have a server with more than one ip addresses. If i start ejabberd (with the default ./start script) 'epmd' run at all ip addresses.
Is there any chance to bind 'epmd' to one ip address? If so, how?

(For what is 'epmd' really needed?)

thanks,
drscream

in ejabberd book

www.process-one.net/en/projects/ejabberd/docs/guide_en.html#htoc16

3.3 Listened Sockets:

{ip, IPAddress}
This option specifies which network interface to listen for. For example {ip, {192, 168, 1, 1}}.

?

Yes, i know, but this is

Yes, i know, but this is only for ejabberd (i edit my config file ejabberd.cfg). This doesn't work for 'epmd', or 'epmd' doesn't read the config file...(?/!).

Same Problem here. Using a

Same Problem here. Using a firewall would not fix that problem, it would be at most a workaround. The best way is to bind that port to 127.0.0.1 only, thats exaclty what i want and i guess its that what drscream wants.

It is unbelievable unsecure

It is unbelievable unsecure to run a daemon on an open port on all available IPs!
And it is totaly unacceptable.

Recommending a firewall to work around this, seems to show a complete lack of knowledge about this topic.

So, it is *required* that epmd can be configured to listen only on 127.*.*.* and / or localhost and any required port!

As i understood this issue, epmd is even required to run ejabberd without database crashes.
This too, is unbelievable ...

The whole architecture of this software is more than suspitious.

So, i recommend the following:

Change ejabberd to listen on a local port for ejabberctl command - for example to shutdown.
BUT, also cleanly shut down that daemon after a regular signal!

If epmd is still required for communication between connected nodes, you can still allow to listen on the required IP-adress (only) and *then* use a firewall to channel the communication.

This very webpage is is made more secure with all it´s CAPTCHA codes than the ejabberd daemons ...

Submit your ideas to the proper place

The Reverse Side of Spamcatcher2 wrote:
It is unbelievable unsecure to administrate a server machine without a restrictive firewall setup! And it is totaly unacceptable. Requiring to develop in each program, ensure the security/bugs of each program, and configure in each program to bind to a unique IP address to workaround a good firewall setup, seems to show a complete lack of knowledge about this topic. The whole responsibility of this administrator is more than suspitious.

spamcatcher2 wrote:
it is *required* that epmd can be configured to listen only on 127.*.*.* and / or localhost

EPMD is developed as part of Erlang/OTP, not in ejabberd. You should send your EPMD feature request to the Erlang/OTP developers. You can also write a patch that implements that feature, and propose it. Notice that EPMD is written in the well-known C language, not in the less-known Erlang language.

This feature request was already discussed in the Erlang questions mailing list three years ago: Restrict epmd to one IP address?. That discussion didn't find such option in EPMD. In the discussion, I found an interesting comment:

Per Hedeland wrote:
And btw, at least on the Unices I have used, binding to an IP address does not bind to an interface - if you bind to an address configured on eth0 and a connection to it happens to arrive on eth1, it will happily be accepted anyway (thus, depending on network topology and perceived threats, binding to a specific address may be a pretty weak protection and no substitute for a firewall - which is not to imply that epmd needs protecting:-).

If EPMD included an option to limit the IP address to only 127.0.0.1, the ejabberd developers might use it in the ejabberd start script. But I've checked now, and EPMD still doesn't have such option.

In summary, I recommend you to reconsider your feature request. If your initial idea seems still good, send an email to the erlang-questions mailing list.

Same here

Any progress since 2007 ?

Search on the web

drscream wrote:

(For what is 'epmd' really needed?)

'The Erlang Port Mapper Daemon epmd is automatically started at every host where an Erlang node is started. It is responsible for mapping the symbolic node names to machine addresses.'

http://www.die.net/doc/linux/man/man1/epmd.1.html

Thank you for the

Thank you for the information.
Now I changed my ejabberd node from "ejabberd@localhost" to "ejabberd@hostname.tld" but this have no result.
The two 'epmd' ports also open on my other ip addresses:
PORT STATE SERVICE
4369/tcp open unknown
49675/tcp open unknown (change every time)

Has nobody an idea how to

Has nobody an idea how to bind 'epmd' to one ip address?
I think this can be a security risk if 'epmd' listen to all ips from the server...

A firewall should normally

A firewall should normally allow you to block the traffic that you want to prevent.

--
Mickaël Rémond
Process-one

Re: howto bind epmd to one ip

drscream wrote:

Is there any chance to bind 'epmd' to one ip address? If so, how?

I have a patch! http://gir.usc.edu/erlang/otp_epmd_binding.patch.gz

Set the following environment variables before epmd is started:

export ERL_EPMD_DIST_BIND=192.168.254.100
# if you also need to change the default port.
export ERL_EPMD_DIST_PORT=

It may break stuff like clustering and remote shell access, but it works for me.

I run a simple ejabberd on a shared IRC hosting provider and had to make ejabberd/epmd bind to a single IP address and specific port.

If you need further help, I'm on the ejabberd mailing list.

A firewall is not a

A firewall is not a workaround but a tool that should be configured on production machine.
Now, if you insist on not using one, you are not asking on the right place.
Please, post a feature request to www.erlang.org.

Syndicate content