Hello,
I have a server with more than one ip addresses. If i start ejabberd (with the default ./start script) 'epmd' run at all ip addresses.
Is there any chance to bind 'epmd' to one ip address? If so, how?
(For what is 'epmd' really needed?)
thanks,
drscream
in ejabberd book
3.3 Listened Sockets:
{ip, IPAddress}
This option specifies which network interface to listen for. For example {ip, {192, 168, 1, 1}}.
?
Yes, i know, but this is
Yes, i know, but this is only for ejabberd (i edit my config file ejabberd.cfg). This doesn't work for 'epmd', or 'epmd' doesn't read the config file...(?/!).
Same Problem here. Using a
Same Problem here. Using a firewall would not fix that problem, it would be at most a workaround. The best way is to bind that port to 127.0.0.1 only, thats exaclty what i want and i guess its that what drscream wants.
It is unbelievable unsecure
It is unbelievable unsecure to run a daemon on an open port on all available IPs!
And it is totaly unacceptable.
Recommending a firewall to work around this, seems to show a complete lack of knowledge about this topic.
So, it is *required* that epmd can be configured to listen only on 127.*.*.* and / or localhost and any required port!
As i understood this issue, epmd is even required to run ejabberd without database crashes.
This too, is unbelievable ...
The whole architecture of this software is more than suspitious.
So, i recommend the following:
Change ejabberd to listen on a local port for ejabberctl command - for example to shutdown.
BUT, also cleanly shut down that daemon after a regular signal!
If epmd is still required for communication between connected nodes, you can still allow to listen on the required IP-adress (only) and *then* use a firewall to channel the communication.
This very webpage is is made more secure with all it´s CAPTCHA codes than the ejabberd daemons ...
Submit your ideas to the proper place
EPMD is developed as part of Erlang/OTP, not in ejabberd. You should send your EPMD feature request to the Erlang/OTP developers. You can also write a patch that implements that feature, and propose it. Notice that EPMD is written in the well-known C language, not in the less-known Erlang language.
This feature request was already discussed in the Erlang questions mailing list three years ago: Restrict epmd to one IP address?. That discussion didn't find such option in EPMD. In the discussion, I found an interesting comment:
If EPMD included an option to limit the IP address to only 127.0.0.1, the ejabberd developers might use it in the ejabberd start script. But I've checked now, and EPMD still doesn't have such option.
In summary, I recommend you to reconsider your feature request. If your initial idea seems still good, send an email to the erlang-questions mailing list.
Same here
Any progress since 2007 ?
Search on the web
(For what is 'epmd' really needed?)
'The Erlang Port Mapper Daemon epmd is automatically started at every host where an Erlang node is started. It is responsible for mapping the symbolic node names to machine addresses.'
Thank you for the
Thank you for the information.
Now I changed my ejabberd node from "ejabberd@localhost" to "ejabberd@hostname.tld" but this have no result.
The two 'epmd' ports also open on my other ip addresses:
PORT STATE SERVICE
4369/tcp open unknown
49675/tcp open unknown (change every time)
Has nobody an idea how to
Has nobody an idea how to bind 'epmd' to one ip address?
I think this can be a security risk if 'epmd' listen to all ips from the server...
A firewall should normally
A firewall should normally allow you to block the traffic that you want to prevent.
--
Process-one
Mickaël Rémond
Re: howto bind epmd to one ip
Is there any chance to bind 'epmd' to one ip address? If so, how?
I have a patch!http://gir.usc.edu/erlang/otp_epmd_binding.patch.gz
Set the following environment variables before epmd is started:
export ERL_EPMD_DIST_BIND=192.168.254.100
# if you also need to change the default port.
export ERL_EPMD_DIST_PORT=
It may break stuff like clustering and remote shell access, but it works for me.
I run a simple ejabberd on a shared IRC hosting provider and had to make ejabberd/epmd bind to a single IP address and specific port.
If you need further help, I'm on the ejabberd mailing list.
A firewall is not a
A firewall is not a workaround but a tool that should be configured on production machine.www.erlang.org .
Now, if you insist on not using one, you are not asking on the right place.
Please, post a feature request to