Important PSA for EVERYONE Running a Mastodon Instance!

IF you are following this guide, or need to listen on 0.0.0.0 with ElasticSearch for some other reason:

USE A FIREWALL FOR PORTS 9200 AND 9300

Port 9200 is the client listening port, and 9300 is server-to-server communications.

If a firewall is not used, any person can connect to your database and retrieve all toots stored inside, since ElasticSearch uses no authentication mechanism in this guide (I do not know if Mastodon supports it; ES does, but not by default). The end result is that anyone can dump the toots stored on your server in ElasticSearch, including remote ones.

A publicly open ElasticSearch server is a menace to anyone who federates with you.

If ElasticSearch runs on the same server as rails, listen on 127.0.0.1. There is no need to listen on 0.0.0.0 for this configuration.

You also don't need a firewall if it only listens on a local IP (one that begins with 192.168., one that begins with 10., or one that is between 172.16.0.0 and 172.31.255.255); however, I would personally recommend it.

When configuring a firewall, ensure that port 9200 and 9300 are only accessible from your web host/hosts. Test it and be sure.

Guides for configuring a firewall

There are many, but here's some for the most common OS'es/distros:

links

social