Replace the RabbitMQ guest user
# Create a real admin, then delete guestrabbitmqctl add_user app_admin "$(openssl rand -base64 24)"rabbitmqctl set_user_tags app_admin administratorrabbitmqctl set_permissions -p / app_admin '.*' '.*' '.*'
rabbitmqctl delete_user guestWhy it matters
Section titled “Why it matters”Every RabbitMQ install ships with a user named guest, password guest, holding
the administrator tag and full permissions on the default virtual host. It is
the single most universally known credential in the message-broker world, and
scanners try it first.
RabbitMQ’s mitigation is real but narrow: guest can only connect over
loopback. The loopback_users setting lists users restricted to local
connections, and guest is on it by default. So a remote AMQP client presenting
guest/guest is refused — the credential works only from the broker host
itself.
That’s genuinely helpful, and it’s why a default RabbitMQ isn’t immediately ownable from the internet. But it’s a thin line, and there’s a specific way people cross it.
The disaster: loopback_users = none
Section titled “The disaster: loopback_users = none”The moment someone needs a remote client to connect and reaches for guest,
they hit the loopback restriction, and search for how to remove it. The answer
they find is:
# rabbitmq.conf — DO NOT do thisloopback_users = noneThat removes the loopback restriction from every user, including guest. Now
guest/guest authenticates from anywhere, with administrator rights, on a
broker that is very likely also exposing
its ports. That is a fully open,
admin-level message broker reachable from the internet — and it’s a configuration
people apply deliberately, to fix a connection problem.
Never set loopback_users = none. If a remote client needs to authenticate,
give it a real user. That’s the whole fix, and it’s less work than the dangerous
one.
Delete guest, don’t just restrict it
Section titled “Delete guest, don’t just restrict it”Leaving guest in place — even loopback-only — means the well-known credential
still works for anything with local access, which includes a compromised
co-located process. Once you have a real administrator account, delete it:
rabbitmqctl delete_user guestIf you can’t delete it for some legacy reason, at minimum change its password and strip its tags and permissions so it can do nothing.
Create scoped users, not more admins
Section titled “Create scoped users, not more admins”The replacement for guest is not one shared admin that every app uses.
That just renames the problem. Each application gets its own user, scoped to the
virtual host and permissions it needs, with no
administrator tag. The admin account you create here is for administration, used
rarely — the same logic as
Elasticsearch’s elastic and
Postgres superuser.
Related
Section titled “Related”- Restrict network listeners — the ports guest would connect over.
- Virtual host permissions — what the replacement users should be scoped to.
- RabbitMQ exposed to the internet — guest plus open ports.