Add EPMD Exposure Blog

[maennchen]

• I acknowledge my contribution to the website does not assert comparative or superlative differences of one product, project, company or individual over another.
• Up for review in the #security WG Slack: https://the-eef.slack.com/archives/CTP7P1E9X/p1734039252981079
• Correct Publication Date

Screenshots

Chart

The chart was created using Draxlr

Data: country-epmd.csv, Copied from Shodan

@erlef/marcom Communication Proposal

Is your #RabbitMQ or #BEAM-based app silently exposing EPMD to the world?
Discover the hidden security risk and learn how to secure your setup. Stay safe—check it out now!
[Link]

[garazdawi]

Hello!

First off, I think this is a great article and highlights a very real security concern. When I first heard about this (which must be atleast 5 years ago) I was flabbergasted that so many systems operators don't lock down their firewalls very very securely. It is the very first thing I would do if I were ever to host a service.

Anyway, I think that this article should focus much less on EPDM, and more on Erlang distribution. While exposing EPMD makes it easier to find the Erlang distribution port and start trying to hack that, it is exposing Erlang Distribution that is the vastly bigger security concern. EPMD itself is very unlikely to allow anyone to compromise the system, except possibly doing a DDOS against it.

[voltone]

I agree with @garazdawi that the post currently conflates EPMD exposure and Erlang Distribution exposure.

If a port scan shows that the EPMD port is exposed, the next thing I would do is query the server for the list of known nodes (something Shodan also does):

• If the list is empty, then EPMD may still be running because distribution was once enabled on a BEAM instance on that server, but it no longer is; if the EPMD binary can be compromised that is still a risk, but that risk seems small and easy to address: kill the EPMD process and close the port to prevent future exposure
• If the list is not empty, then I would do a port scan on the port numbers returned; if those ports are reachable then there is a real risk, though the actual risk may still depend on whether the exposed ports are plain distribution (that's where cookies come in) or TLS distribution (which may be safe); in this case I would say, if the exposure to the Internet is intentional and TLS distribution with client certs is used, then perhaps it is ok, otherwise you have a burning issue!

[maennchen]

Thanks for the valuable feedback. I'll do a correction round sometime this weekend.

[maennchen]

@garazdawi I've tried to incorporate your feedback. What do you think?

@voltone I've updated the text to be more clear on Erlang Distribution vs EPMD and also changed the nmap commands to scan for Erlang Distribution as well. Is that covering what you expected or would you go further into detail? erl-matter has some info on how to probe distribution ports including the usage of an nmap-script. But I'm not sure if you should go that deep.

[garazdawi]

Nice! I left some smalls nitpicks, but overall I think this is much better.

[garazdawi]

LGTM, thanks for taking my opinion into account. If you want to, feel free to create a news-item on https://github.com/erlang/erlang-org linking to this post. Or I can do it once this is published.

[voltone]

Looks great, thanks!