Skip to content
PortsDB

Port reference

Port 4369 (TCP) – Erlang Port Mapper Daemon (epmd)

Name server that maps Erlang node names to the TCP ports of their distribution listeners.

tcpRegisteredCommonly attacked

Default state

Often listening on all interfaces wherever an Erlang/Elixir app runs (RabbitMQ, CouchDB, ejabberd). epmd itself needs no auth; the real gate is the Erlang distribution cookie.

Common attacks

  • Enumerating Erlang node names and distribution ports via epmd
  • Distributed-Erlang RCE using a weak, default, or guessable cookie
  • Pivoting into RabbitMQ, CouchDB, or ejabberd back ends
  • Information disclosure about clustered nodes and topology

Hardening

  • Never expose 4369 or the distribution port range to the internet
  • Bind epmd to localhost or a private interface (ERL_EPMD_ADDRESS)
  • Use a long, random Erlang cookie and protect ~/.erlang.cookie permissions
  • Firewall epmd and the dynamic distribution ports to trusted cluster hosts
  • Enable TLS for Erlang distribution and patch the BEAM runtime

nmap snippet

nmap -p4369 --script epmd-info <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 4369?

Port 4369 is the Erlang Port Mapper Daemon (epmd). When an Erlang or Elixir node starts distribution, it registers its node name with epmd, which then tells other nodes which TCP port to use to reach it. You'll find epmd anywhere the BEAM runtime runs clustered — notably RabbitMQ, CouchDB, and ejabberd.

Why it matters for security

epmd has no authentication of its own; it freely reveals node names and ports. The real trust boundary is the Erlang distribution cookie, a shared secret stored in ~/.erlang.cookie. If that cookie is weak, default, or guessable, anyone who reaches the distribution port can join the cluster and run arbitrary code — effectively remote code execution on the host.

How it's attacked

Attackers query epmd (e.g. the epmd-info NSE script) to enumerate node names and their distribution ports. They then attempt to connect as a peer node using a default or brute-forced cookie. A successful handshake lets them evaluate arbitrary Erlang, pivoting straight into the RabbitMQ, CouchDB, or ejabberd back end.

Hardening checklist

Never expose 4369 or the dynamic distribution port range to the internet. Bind epmd to localhost or a private interface (ERL_EPMD_ADDRESS) and firewall both epmd and the distribution ports to trusted cluster hosts. Use a long, random cookie and lock down ~/.erlang.cookie permissions. Enable TLS for Erlang distribution and keep the BEAM runtime patched. Use the nmap snippet above to check exposure on hosts you are authorized to test.

Related ports

Port 5672Port 5984Port 25672Port 6379

Frequently asked questions

Is epmd itself authenticated?
No. epmd is just a name-to-port directory and answers anyone who connects. Security depends entirely on the Erlang distribution cookie and on firewalling both 4369 and the dynamic distribution ports.
How does port 4369 lead to remote code execution?
Once an attacker learns a node name from epmd and knows or guesses the shared cookie, they can join the Erlang cluster as a node and evaluate arbitrary code on the target — full RCE on RabbitMQ, CouchDB, or ejabberd hosts.