Most active commenters

    ←back to thread

    Finding thousands of exposed Ollama instances using Shodan

    (blogs.cisco.com)
    166 points rldjbpin | 13 comments | 03 Sep 25 08:18 UTC | HN request time: 0.489s | source | bottom
    1. alexandru_m ◴[03 Sep 25 10:25 UTC] No.45114142[source]
    Apparently, protecting the API is not planned: https://github.com/ollama/ollama/issues/849

    For my own purposes I either restrict ollama's ports in the firewall, or I put some proxy in front of it that blocks access of some header with some predefined api key is not present. Kind of clunky, but it works.

    replies(5): >>45114147 #>>45114943 #>>45114992 #>>45117832 #>>45120566 #
    2. alexandru_m ◴[03 Sep 25 10:27 UTC] No.45114147[source]
    Correction: ...blocks access IF some header...
    3. omneity ◴[03 Sep 25 12:33 UTC] No.45114943[source]
    Yeah it’s a pretty crazy decision to be honest. Flashbacks to MongoDB and ElasticSearch’s early days.

    Fortunately it’s an easy fix. Just front it with nginx or caddy and expect a bearer token (that would be your api key)

    replies(2): >>45118733 #>>45120587 #
    4. kaptainscarlet ◴[03 Sep 25 12:37 UTC] No.45114992[source]
    You can easily protect the api with nginx basic auth
    5. time0ut ◴[03 Sep 25 16:39 UTC] No.45117832[source]
    That is unfortunate. Not because I think they should have to, but because they eventually will have to if it gets big enough. Never underestimate the ability of your users to hold it wrong.

    The default install only binds to loopback, so I am sure it is pretty common to just slap OLLAMA_HOST=0.0.0.0 and move on to other things. I know I did at first, but my host isn't publicly routable and I went back the same night and added IPAddressDeny/Allow rules (among other standard/easy hardening).

    6. TomK32 ◴[03 Sep 25 18:03 UTC] No.45118733[source]
    Early MongoDB adapter here who still likes it. If your internal services are accessible from outside you are doing it wrong. Neither MongoDB nor ES or ollama are services that my applications would access through a public IP and whenever a dev asks me for access to the DB from the comfort of their home office I tell them what VPN to log into.

    Even if those services had some access protection, I simply must assume that the service has some security leak that allows unauthorized access and the first line of defense against that is not having it on the public internet.

    replies(3): >>45118847 #>>45119171 #>>45119450 #
    7. cortesoft ◴[03 Sep 25 18:15 UTC] No.45118847{3}[source]
    On the flipside, you can also argue that if you are relying on network access to protect your internal services, you are doing it wrong. If the only thing you need to take over a service is access to its internal network, you are setting yourself up to be owned.
    replies(1): >>45124884 #
    8. harrall ◴[03 Sep 25 18:49 UTC] No.45119171{3}[source]
    Tell that to the kids at my high school in 2004 screwing with all the unprotected services across the whole school district-wide network.

    Or the worms that scan for vulnerable services and install persistent threats.

    If you want to remove the password on a service, that’s your choice. The default should have a password though and then people can decide.

    replies(1): >>45124832 #
    9. omneity ◴[03 Sep 25 19:14 UTC] No.45119450{3}[source]
    You are assuming the only threats can come from outside.

    Defense in depth is essential in an age of unreliable software supply chain.

    10. ozim ◴[03 Sep 25 21:23 UTC] No.45120566[source]
    I don’t think proxy is clunky. I would expect that should be quite fine solution.

    Problem is people don’t know that it’s a good solution.

    11. ozim ◴[03 Sep 25 21:26 UTC] No.45120587[source]
    I would say it is reasonable decision as fronting with proxy is quite good approach. Unfortunately lots of non tech people want to “just run it”
    12. dns_snek ◴[04 Sep 25 08:02 UTC] No.45124832{4}[source]
    Decide what? Slapping a simple, naive login screen on top of a service that was never designed to fend off attacks from untrusted networks doesn't fix the actual issue, which is the fact that an administrator exercised bad judgement and made it accessible to untrusted networks.
    13. dns_snek ◴[04 Sep 25 08:11 UTC] No.45124884{4}[source]
    Yes but nobody is stopping you from adding your own proxy which enforces any type of authentication you like, and in my opinion that's the more sensible approach here anyway.

    I don't think it's sensible to expect every project like Ollama to ship their own half-broken authentication and especially anything resembling a "zero trust" implementation. You can easily front Ollama with a reverse proxy which does those things if you'd like. Each component should do one thing well.

    I trust Nginx to verify client certificates correctly so I can be confident that only traffic from trusted users is able to reach whatever insecure POS is hiding behind it.