←back to thread

Finding thousands of exposed Ollama instances using Shodan

(blogs.cisco.com)
166 points rldjbpin | 7 comments | 03 Sep 25 08:18 UTC | HN request time: 0.804s | source | bottom
Show context
ekianjo ◴[03 Sep 25 10:02 UTC] No.45114004[source]
Ollama has no auth mechanism by default... You have to wonder why they never focused on that
replies(6): >>45114024 #>>45114056 #>>45114140 #>>45114531 #>>45115062 #>>45116572 #
1. 47282847 ◴[03 Sep 25 10:25 UTC] No.45114140[source]
Separation of concerns?

If you deploy a power plug outside your house, is it the fault of the power plug designer if people steal your power?

Put it behind a webserver with basic auth or whatever you fancy, done.

replies(1): >>45114194 #
2. ekianjo ◴[03 Sep 25 10:36 UTC] No.45114194[source]
Bad analogies are bad analogies. ollama is a server system, it should expect to connect with more than one client and they know very well by now that this also means networked clients. If you create a server client protocol, implementing security is your job.
replies(5): >>45114234 #>>45114298 #>>45116601 #>>45116716 #>>45117190 #
3. phito ◴[03 Sep 25 10:42 UTC] No.45114234[source]
Any decent router is going to block connections from internet to your local network by default. For ollama to be accessible from the outside, they had to allow it explicitly. There's no way to blame ollama for this.
4. graemep ◴[03 Sep 25 10:53 UTC] No.45114298[source]
Lots of servers do not, Redis for instance does not have auth by default, and IIRC did not have auth at all for a long time.
5. Zambyte ◴[03 Sep 25 14:59 UTC] No.45116601[source]
> If you create a server client protocol, implementing security is your job.

Yes, this goes right along with the tried and true Unix philosophy: do everything, poorly. Wait what?

6. kube-system ◴[03 Sep 25 15:09 UTC] No.45116716[source]
The client-server pattern is frequently used locally.
7. jrm4 ◴[03 Sep 25 15:50 UTC] No.45117190[source]
I cannot express how deeply wrong you are about this; a "server system" is not some mandate that it should be production ready for a ton of people on the internet.

This is a program that very different people want or need to try out that just so happens to involve a client-server architecture.