First, firewall settings
When you configure the firewall, you need to be aware of the following TCP ports:
Port |
Description |
5222 |
Standard port for JABBER/XMPP client connections, plain text, or STARTTLS. |
5223 |
The Jabber client uses the old SSL method to connect to the standard port. |
5269 |
A standard port for JABBER/XMPP server connections. |
4369 |
EPMD listens for Erlang node name requests. |
Port range |
Used for connections between two Erlang nodes. This range is configurable (see Part Two, EPMD).
|
Second, EPMD
The EPMD (Erlang port mapping waiting process) is a small name server that is included in the ERLANG/OTP and is used by the Erlang program when establishing distributed Erlang communication. Ejabberd requires EPMD to use EJABBERDCTL, and it is also required to use the Ejabberd node of the cluster. This small program is automatically started by Erlang and never stops. If Ejabberd is stopped and no other Erlang program is running on the system, you can safely stop EPMD if you want.
The ejabberd runs inside an Erlang node. To communicate with Ejabberd, the script Ejabberdctl launches a new Erlang node and connects to the Erlang node running the ejabberd. In order for this communication to work, the EPMD must run and listen for name requests on Port 4369. You should disable port 4369 in this way in the firewall, that is, allow only programs on your machine to access it.
If you build a cluster of many ejabberd instances, each Ejabberd instance is called a ejabberd node. Those ejabberd nodes use a special Erlang communication method to build the cluster, then EPMD needs to listen on port 4369 again. So, if you plan to build a cluster of EJABBERD nodes, you must open port 4369 for the machine involved in the cluster. Remember to disable this port so that it cannot be accessed from the Internet.
Once an Erlang node resolves the node name of another Erlang node using EPMD and Port 4369, the nodes communicate directly between them. The ports used in this case are random by default, but can be configured in the file ejabberdctl.cfg. Erlang command line parameters are used internally, for example:
Erl ... -kernel inet_dist_listen_min 4370 inet_dist_listen_max 4375
Third, Erlang cookies
An Erlang cookie is a string of numbers and letters. An Erlang node reads a cookie from the command-line parameter-setcookie at startup. If not specified, the cookie file is read from the $HOME/.erlang.cookie. If the file does not exist, it will be created immediately with a random cookie. Two Erlang nodes communicate only if they have the same cookie. Setting a cookie on the Erlang node allows you to structure your Erlang network and define which node is allowed to connect to.
Thanks to Erlang cookies, you can block incorrect access to Erlang nodes, such as when there are many Erlang nodes running different programs on the same machine.
Setting up a security cookie is an easy way to increase the difficulty of illegally accessing your erlang nodes. However, the cookie system is not ultimately valid for blocking unauthorized access or intrusion to Erlang nodes. Communication between Erlang nodes is unencrypted, so cookies can be read by sniffers on the network. The recommended way to make Erlang more secure is to disallow Port 4369.
Iv. section name of Erlang
An Erlang node can have a node name. The name may be short (if specified with the command line argument-sname) or very long (if specified with parameter-name). Starting an Erlang node with-sname restricts communication between the Erlang node and the LAN.
Using the option-sname instead of-name is a simple way to increase the difficulty of unauthorized access to your Erlang node. However, it is not ultimately valid for blocking unauthorized access or intrusion to the Erlang node. Because it's possible to disguise your use of a modified Erlang EPMD in another network. The recommended way to make Erlang more secure is to disallow Port 4369.
V. Security of sensitive documents
Ejabberd stores sensitive data in the file system either using plain text or binary files. The file system license should be set to allow only the appropriate user to read, write, and execute those files and directories.
Ejabberd configuration file:/etc/ejabberd/ejabberd.cfg
The JID and password of the administrator who contains the external components. The backup file may also contain this information, so the security of the entire/etc/ejabberd/directory is necessary.
Ejabberd Service log:/var/log/ejabberd/ejabberd.log
Contains the IP address of the client. If LogLevel is set to 5, it contains all the sessions and passwords. If you use a logrotate system, there may be several log files that have similar information, so the security of the entire/var/log/ejabberd/directory is necessary.
Mnesia Database Spool Files in/var/lib/ejabberd/
This file stores the binary data, but some parts are still readable. This file is generated by Mnesia and their permission cannot be set directly, so the security of the entire/var/lib/ejabberd/directory is necessary.
Erlang Cookie File:/var/lib/ejabberd/.erlang.cookie
Ejabberd Source Code parsing Prelude--security