I'm trying to secure an install of RabbitMQ, and am not sure how to secure the Erlang EPMD port. I only have one machine running anything, so I'd like to make it listen only on the loopback device. Per the docs, I've added:
ERL_EPMD_ADDRESS=127.0.0.1
to /etc/rabbitmq/rabbitmq-env.conf
, but this has no effect, as the port still shows open in nmap
from a remote system.
Is there a way to lock down this port that I won't be using?
This port is already secure. Access to this port is controlled by a Cookie, which is basically a developer key that is unique to this particular server and is created at install time. It is probably located in /var/lib/rabbitmq/.erlang.cookie although it is possible for a distro to change that location. You will note that the cookie file is only readable by root.
If a remote node (another server) or a local node (another Erlang instance on this server) wants to communicate with your RabbitMQ server, they must present the cookie when communicating via EPMD or the requests will be ignored.
If you are following RabbitMQ best practices then you will have RabbitMQ running on its own server, and there will be two or three other RabbitMQ servers that are clustered with it. In this context "clustered" means sharing the same cookie and communicating via the same EPMD port. Blocking this port is a bad thing.
However, it is generally a good thing to have a perimeter around the cluster, which is managed by a firewall so that the EPMD port can only be used from inside the perimeter. This implies that the blocking is on a firewall device, or a server acting as a firewall, or an EC2 firewall or similar.