Securing ejabberd on Debian Wheezy (7.0) : Bind epmd to localhost (127.0.0.1)
Ejabberd is a nice and (in theory) easy to setup jabber-server. However during setup I came across some WTF’s, I want to share.
What is empd?
epmd is a small name server used by Erlang programs when establishing distributed Erlang communications. ejabberd needs epmd to use ejabberdctl and also when clustering ejabberd nodes. If ejabberd is stopped, and there aren’t any other Erlang programs running in the system, you can safely stop epmd.
- epmd is started along with ejabberd, but as other erlang programs might use it, it keeps running even if ejabberd is stopped
- epmd’s default setup is to listen on ALL INTERFACES
For me this seems to be a undesirable default behaviour of the debian package, which can be easily fixed:
Bind epmd to 127.0.0.1
add the following line to the end of /etc/default/ejabberd
to make epmd listen on localhost only. The “export” is imporant. Without it won’t work.
export ERL_EPMD_ADDRESS=127.0.0.1
ejabberd looksup the hostname and tries to connect to this ip. If you have a DNS-Hostname it normally does not resolve to 127.0.0.1 . So you have to add to your
local /etc/hosts file the shortname and the fqdn of your server.
Find the shortname and fqdn:
# shortname $> hostname -s foo $> hostname foo.bar.local
Now add to /etc/hosts:
127.0.0.1 foo foo.bar.local
Stop epmd with ejabberd
add the follwing line to /etc/init.d/ejabberd
70 stop() 71 { .... 84 echo -e "\nStopping epmd: " 85 epmd -kill ...