Skip to content

Restrict RabbitMQ network listeners

Severity: criticalApplies to: RabbitMQ 3.x / 4.x
The fix/etc/rabbitmq/rabbitmq.conf
# AMQP: bind to the private interface only
listeners.tcp.local = 10.0.1.5:5672
# Management UI: loopback only (reach it via SSH tunnel)
management.tcp.ip = 127.0.0.1
# Erlang distribution: pin the port and bind it to the private interface
distribution.listener.interface = 10.0.1.5

Then firewall everything. The listener config narrows the interface; the firewall narrows the source, and RabbitMQ needs both.

Why the clustering ports are the real danger

Section titled “Why the clustering ports are the real danger”

Everyone thinks about port 5672. The ports that actually turn an exposure into a host compromise are the two nobody publishes a client for:

Port What it is Exposure
25672 Erlang distribution Reachable + weak cookie = code execution
4369 epmd (Erlang port mapper) Enumerates nodes and their dist ports

RabbitMQ runs on the Erlang VM, and Erlang nodes cluster by connecting to each other over the distribution protocol on 25672. That protocol, by design, lets one node run code on another — it’s how clustering works. The only thing gating it is the Erlang cookie, a shared secret. So 25672 reachable from the internet, plus a weak or default cookie, is remote code execution as the rabbitmq user — not a message-queue problem, a shell.

epmd on 4369 is the directory: query it and it tells you which Erlang nodes are running and what dist ports they’re on. It’s reconnaissance that leads straight to 25672.

Neither should ever be reachable from outside your cluster’s own network. On a single-node broker, they don’t need to be reachable from anywhere but loopback.

If you’ve turned on TLS, close the plaintext port entirely rather than leaving it open beside the encrypted one:

listeners.tcp = none # no plaintext AMQP at all
listeners.ssl.default = 5671 # TLS only

Leaving 5672 open next to 5671 means a client can still connect in the clear — the same “offering TLS isn’t requiring it” trap as every other service here.

The management port is not for the internet

Section titled “The management port is not for the internet”

15672 serves the management UI and HTTP API. Bind it to loopback and reach it over an SSH tunnel; do not publish it. It’s a full admin surface and it’s a frequent finding on exposed brokers.