1 comment

[ 3.0 ms ] story [ 7.7 ms ] thread
From the mailing list[1]:

> CouchDB opens a random network port, bound to all available interfaces in anticipation of clustered operation and/or runtime introspection. A utility process called `epmd` advertises that random port to the network. `epmd` itself listens on a fixed port.

> We recommend a firewall in front of all CouchDB installations. The full CouchDB api is available on registered port `5984` and this is the only port that needs to be exposed for a single-node install.

Pretty basic stuff, you should really be firewalling off all but the required ports for it to work. Kind of sad that after a half-century of "information technology" we still need to be told that a deny-by-default policy is the only one that works. And yes, bad defaults are of course to blame here, but the real problem is overly permissive network rules.

[1] https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdc...