Securing ejabberd on Debian Wheezy (7.0) : Bind epmd to localhost (127.0.0.1)

Ejabberd is a nice and (in theory) easy to setup jabber-server. However during setup I came across some WTF’s, I want to share.

What is empd?
epmd is a small name server used by Erlang programs when establishing distributed Erlang communications. ejabberd needs epmd to use ejabberdctl and also when clustering ejabberd nodes. If ejabberd is stopped, and there aren’t any other Erlang programs running in the system, you can safely stop epmd.

• epmd is started along with ejabberd, but as other erlang programs might use it, it keeps running even if ejabberd is stopped
• epmd’s default setup is to listen on ALL INTERFACES

For me this seems to be a undesirable default behaviour of the debian package, which can be easily fixed:

Bind epmd to 127.0.0.1

add the following line to the end of /etc/default/ejabberd to make epmd listen on localhost only. The “export” is imporant. Without it won’t work.

export ERL_EPMD_ADDRESS=127.0.0.1

ejabberd looksup the hostname and tries to connect to this ip. If you have a DNS-Hostname it normally does not resolve to 127.0.0.1 . So you have to add to your
local /etc/hosts file the shortname and the fqdn of your server.

Find the shortname and fqdn:

# shortname
$> hostname -s
foo
$> hostname
foo.bar.local

Now add to /etc/hosts:

127.0.0.1  foo foo.bar.local

Stop epmd with ejabberd

add the follwing line to /etc/init.d/ejabberd

 70 stop()
 71 {
....
 84         echo -e "\nStopping epmd: "
 85         epmd -kill
...