> CouchDB opens a random network port, bound to all available interfaces
in anticipation of clustered operation and/or runtime introspection. A
utility process called `epmd` advertises that random port to the network.
`epmd` itself listens on a fixed port.
> We recommend a firewall in front of all CouchDB installations. The full
CouchDB api is available on registered port `5984` and this is the only
port that needs to be exposed for a single-node install.
Pretty basic stuff, you should really be firewalling off all but the required ports for it to work. Kind of sad that after a half-century of "information technology" we still need to be told that a deny-by-default policy is the only one that works. And yes, bad defaults are of course to blame here, but the real problem is overly permissive network rules.
1 comment
[ 3.0 ms ] story [ 7.7 ms ] thread> CouchDB opens a random network port, bound to all available interfaces in anticipation of clustered operation and/or runtime introspection. A utility process called `epmd` advertises that random port to the network. `epmd` itself listens on a fixed port.
> We recommend a firewall in front of all CouchDB installations. The full CouchDB api is available on registered port `5984` and this is the only port that needs to be exposed for a single-node install.
Pretty basic stuff, you should really be firewalling off all but the required ports for it to work. Kind of sad that after a half-century of "information technology" we still need to be told that a deny-by-default policy is the only one that works. And yes, bad defaults are of course to blame here, but the real problem is overly permissive network rules.
[1] https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdc...