Summary
The telemt engine binds its Prometheus metrics endpoint (/metrics) and internal stats endpoint to 0.0.0.0 on ports 9090 and 9091, making them reachable from any network interface. The README states these are localhost only:
Prometheus endpoint: /metrics on port 9090 (localhost only)
config.toml does include metrics_whitelist = ["127.0.0.1", "::1"], but this appears to control request-level filtering, not the socket binding address. The process still listens on all interfaces.
Observed
$ ss -tlnp | grep -E "9090|9091"
LISTEN 0 128 0.0.0.0:9091 0.0.0.0:* users:(("telemt",...))
LISTEN 0 1024 0.0.0.0:9090 0.0.0.0:* users:(("telemt",...))
LISTEN 0 1024 [::]:9090 [::]:* users:(("telemt",...))
Impact
Without an external firewall (cloud security group / iptables), the metrics endpoint is internet-reachable and leaks:
- Per-user traffic counters (bytes in/out per secret label)
- Live active connection count per user
- Engine version and uptime
- Configured cover domain
- Connection/handshake/rejection statistics
Anyone scanning the server's IP can fingerprint it as an MTProxy instance and enumerate per-user statistics.
Environment
- MTProxyMax v1.0.5
- telemt v3.3.39-bc69153
- Ubuntu 24.04, aarch64
- Docker host-network mode (container runs
--network host)
Expected behaviour
Port 9090/9091 should either:
- Bind to
127.0.0.1 only (matching the README claim), or
- The README should be corrected to state that an external firewall is required to restrict access, and the install docs /
mtproxymax firewall guide should mention this explicitly
Workaround
Add a cloud provider firewall rule (Hetzner Cloud Firewall, AWS Security Group, etc.) to block inbound TCP 9090 and 9091 from 0.0.0.0/0. Since telemt runs in Docker host-network mode, standard UFW rules are bypassed by Docker's iptables chain — a host-external firewall is the most reliable mitigation.
Summary
The telemt engine binds its Prometheus metrics endpoint (
/metrics) and internal stats endpoint to0.0.0.0on ports 9090 and 9091, making them reachable from any network interface. The README states these are localhost only:config.tomldoes includemetrics_whitelist = ["127.0.0.1", "::1"], but this appears to control request-level filtering, not the socket binding address. The process still listens on all interfaces.Observed
Impact
Without an external firewall (cloud security group / iptables), the metrics endpoint is internet-reachable and leaks:
Anyone scanning the server's IP can fingerprint it as an MTProxy instance and enumerate per-user statistics.
Environment
--network host)Expected behaviour
Port 9090/9091 should either:
127.0.0.1only (matching the README claim), ormtproxymax firewallguide should mention this explicitlyWorkaround
Add a cloud provider firewall rule (Hetzner Cloud Firewall, AWS Security Group, etc.) to block inbound TCP 9090 and 9091 from
0.0.0.0/0. Since telemt runs in Docker host-network mode, standard UFW rules are bypassed by Docker's iptables chain — a host-external firewall is the most reliable mitigation.