RabbitMQ exposed to the internet
A RabbitMQ broker reachable from an untrusted network has several distinct ways to go wrong, and they range from bad to very bad. Unlike a database, where the loss is the data, an exposed broker can be a loss of the host — because RabbitMQ runs on the Erlang VM, and Erlang’s clustering is code execution by design.
The paths in, worst last
Section titled “The paths in, worst last”The management UI. Port 15672 with a weak or default account. If
guest still works — which requires
loopback_users to have been loosened — or any account has a guessable password,
the management API is broker takeover through a
browser: read every queue, publish anything, export /api/definitions (which
includes password hashes), reconfigure everything.
AMQP with a working credential. Port 5672/5671 plus a known password lets an attacker publish to your exchanges and consume from your queues — injecting work into your systems, or draining and reading the messages flowing between your services. What that’s worth depends on what you send through the broker, and it’s usually more than you’d like.
The Erlang distribution port — the RCE. This is the one that makes RabbitMQ
different. Port 25672, reachable, plus a
weak or default Erlang cookie, means an
attacker connects an Erlang node to yours and runs arbitrary code as the
rabbitmq user. Not message theft — a shell. epmd on 4369 is the map that
leads there, enumerating your nodes and their distribution ports.
So the severity of an exposed broker depends entirely on what’s exposed and how it’s configured. At best it’s message interception; at worst it’s a host compromise that happens to be running a message broker.
What actually gets brokers compromised
Section titled “What actually gets brokers compromised”In rough order:
loopback_users = noneplus exposed ports — someone lifted theguestrestriction to fix a remote client, and nowguest/guestworks from anywhere with admin rights.- The management UI on 15672, exposed, over plain HTTP — credentials sniffed, or a weak password guessed.
- A default or weak Erlang cookie with 25672 reachable — the RCE path, especially on brokers built from images that ship predictable cookies.
- A real credential reused or leaked from an application config, working because the broker is reachable and TLS was never required.
The shortest path from exposed to closed
Section titled “The shortest path from exposed to closed”- Delete guest and check
loopback_users— and never set it tonone. - Firewall every port — 5672, 15672, and especially 25672 and 4369. Nothing but your nodes should reach the last two.
- Fix the Erlang cookie — strong, random,
chmod 400, different per cluster. - Require TLS and bind the management UI to loopback.
Steps 1 and 2 stop the bleeding in minutes.
Related
Section titled “Related”- Hardening RabbitMQ — the full checklist.
- Protect the Erlang cookie — the difference between message theft and RCE.