Should a more secure cluster be achieved by restricting listening IP?

[2233466866]

Is your feature request related to a problem? Please describe.

Describe the solution you'd like

Just like the following configuration:

[
  {
    kernel,
    [
      %% {inet_dist_listen_ip,"192.168.1.123"},
      {inet_dist_listen_min,25678},
      {inet_dist_listen_max,25678}
    ]
  }
].

Describe alternatives you've considered

No response

Additional context

No response

[mkuratczyk]

The address on which EPMD listens is already configurable: https://www.rabbitmq.com/networking.html#epmd-interface

While restricting the interfaces on which EPMD is listening is reasonable, assigning non-standard ports to everything is just pointless and confusing security-by-obscurity if you ask me. But it's up to you.

[michaelklishin]

One more thing that should be mentioned is that epmd communication protocol is very limited and some operations am an inly be performed by a client (such as a RabbitMQ node) that runs on the same host.

So the attack surface is tiny, and all communication that happens after peer host and port discovery via epmd, still uses a shared secret authentication mechanism.