Draft
Conversation
zmstone
reviewed
Feb 13, 2026
| The host operating system is the first line of defense against resource exhaustion and volumetric attacks. | ||
|
|
||
| - [Authorization](./authz/authz.md) | ||
| - [ ] **Kernel Tuning**: Set `fs.file-max` and `fs.nr_open` > 2 million to ensure the host can allocate enough sockets for massive concurrent connections. For more information, see [Performance Tuning](../performance/tune.md) |
Member
There was a problem hiding this comment.
please also add: turn off swap memory (see details in the tune doc). it's the 1st item in the tune doce, but yet a lot dont notice.
zmstone
reviewed
Feb 13, 2026
| Hardening the Erlang runtime is critical to defending against lateral movement and unauthorized cluster access. | ||
|
|
||
| EMQX provides a blacklisting/banning functionality. System admins can block certain clients from accessing EMQX via Dashboard or HTTP API with their client ID, user name, or IP address. | ||
| - [ ] **Cookie**: Replace the default cookie with a high-entropy, 32+ character random string to prevent rogue nodes from joining the cluster. |
Member
There was a problem hiding this comment.
Suggested change
| - [ ] **Cookie**: Replace the default cookie with a high-entropy, 32+ character random string to prevent rogue nodes from joining the cluster. | |
| - [ ] **Cookie**: Replace the default cookie with a high-entropy, 32+ character random alphanumeric string to prevent rogue nodes from joining the cluster. |
zmstone
reviewed
Feb 13, 2026
| This layer enforces granular access control and resource protection for authenticated clients. Authentication and Authorization mechanisms are essential for verifying client identities and controlling publish/subscribe operations. | ||
|
|
||
| - [ ] **Authentication**: Ensure a non-empty authentication chain is configured to prevent anonymous connections. | ||
| - [ ] **Authorization**: Implement ACLs with a strict "Deny by Default" final rule to isolate device traffic. |
Member
There was a problem hiding this comment.
Make sure the last rule in acl.conf is {deny, all}.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.