Incorporate Feedback

Author: maennchen

priv/posts/security/20241212210148_epmd-public-exposure.md

@@ -45,7 +45,7 @@ If left unsecured, exposed Erlang Distribution ports let attackers gain a footho
   Ensuring that distribution ports are only accessible via localhost or a private network interface further reduces the attack surface.
 
 - **Remove or avoid using `-name` or `-sname` if you don’t need clustering**:  
-  If you’re not clustering nodes, don’t assign them a name that registers with EPMD. Without a name, your node won’t appear in EPMD’s registry, making it harder for attackers to locate your distribution ports.
+  If you’re not clustering nodes, don’t assign them a name. Without -name or -sname, the node won’t just be absent from EPMD—it disables Erlang distribution entirely. This means your application won’t attempt to listen on distribution ports at all, further reducing the attack surface.
 
 **For RabbitMQ users:**
 - RabbitMQ runs on Erlang and uses EPMD behind the scenes. Even if you never interact directly with Erlang, you may still be affected if Erlang Distribution ports are exposed.
@@ -99,7 +99,7 @@ If you don’t need external clustering, ensure EPMD and the Erlang Distribution
   ```bash
   -kernel inet_dist_use_interface '{127, 0, 0, 1}' -env ERL_EPMD_ADDRESS "127.0.0.1"
   ```
-- Deploy firewalls, security groups, or network access control lists (ACLs) to ensure port 4369 is not reachable from untrusted networks.
+- Deploy firewalls, security groups, or network ACLs to ensure that no unintended ports—including 4369—are exposed to untrusted networks, leaving only the ports you explicitly intend to serve publicly accessible.
 
 **2. Mitigation is Simple**