Skip to content

Securing ejabberd

Firewall Settings

You need to take the following ports in mind when configuring your firewall. The ports may change depending on your ejabberd configuration. Their protocol is mostly TCP, except some UDP that are explicitely mentioned:

Port Number Description
5222 Jabber/XMPP client connections, plain or STARTTLS (ejabberd_c2s)
5223 Jabber client connections, using the old SSL method (ejabberd_c2s)
5269 Jabber/XMPP incoming server connections (ejabberd_s2s_in)
5280/5443 HTTP/HTTPS for Web Admin and many more (ejabberd_http)
1880 HTTP for Web Admin in container images, useful for desktop container apps
1883/8883 MQTT/MQTTS service (mod_mqtt)
5478/5349
UDP		 STUN+TURN/STUNS+TURNS service (ejabberd_stun)
49152-65535
UDP		 STUN+TURN service (ejabberd_stun),
configure with turn_min_port and turn_max_port
5060/5061 SIP/SIPS service (ejabberd_sip)
7777 SOCKS5 file transfer proxy (mod_proxy65)
5210 Erlang Distribution,
configure with ERL_DIST_PORT
4369 epmd listens for Erlang node name requests
random Erlang Distribution, assigned by epmd,
restrict with FIREWALL_WINDOW

Sensitive Files

ejabberd stores sensitive data in the file system either in plain text or binary files. The file system permissions should be set to only allow the proper user to read, write and execute those files and directories.

  • ejabberd configuration file: /etc/ejabberd/ejabberd.yml

    Contains the JID of administrators and passwords of external components. The backup files probably contain also this information, so it is preferable to secure the whole /etc/ejabberd/ directory.

  • ejabberd service log: /var/log/ejabberd/ejabberd.log

    Contains IP addresses of clients. If the loglevel is set to 5, it contains whole conversations and passwords. If a logrotate system is used, there may be several log files with similar information, so it is preferable to secure the whole /var/log/ejabberd/ directory.

  • Mnesia database spool files: /var/lib/ejabberd/

    The files store binary data, but some parts are still readable. The files are generated by Mnesia and their permissions cannot be set directly, so it is preferable to secure the whole /var/lib/ejabberd/ directory.

  • Erlang cookie file: /var/lib/ejabberd/.erlang.cookie

    See section Erlang Cookie.