banner
andrewji8

Being towards death

Heed not to the tree-rustling and leaf-lashing rain, Why not stroll along, whistle and sing under its rein. Lighter and better suited than horses are straw sandals and a bamboo staff, Who's afraid? A palm-leaf plaited cape provides enough to misty weather in life sustain. A thorny spring breeze sobers up the spirit, I feel a slight chill, The setting sun over the mountain offers greetings still. Looking back over the bleak passage survived, The return in time Shall not be affected by windswept rain or shine.
telegram
twitter
github
HomeArchives

Free access to the DeepSeek‑R1 model on the internet

#技术102
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
To set up and secure an Ollama model service using ChatBox, follow these steps: 1. **Download and Install**: Obtain the appropriate ChatBox client for your operating system from the official website and configure the API address to your target machine. 2. **Use FOFA for Open Interface Queries**: FOFA is a search engine that can help identify publicly exposed services, including those improperly configured to be accessible. 3. **Configure API Address**: Ensure the API address in ChatBox is set to your target machine's address. 4. **Prevent Unauthorized Access**: - **Limit Listening Address**: Modify the Ollama service configuration to bind to `127.0.0.1` instead of `0.0.0.0`, ensuring it only listens locally. - **Set Firewall Rules**: For Windows, create an inbound rule in the Windows Defender Firewall to allow access only from trusted internal IPs. For Linux, use `ufw` to allow access from specific IP ranges and deny others. - **Enable Authentication**: Implement basic authentication using Node.js/Express or configure it in web servers like Apache/Nginx to restrict access to authorized users only. By following these steps, you can effectively use and secure your Ollama deployment.

Step 1: Download and Install#

Download the client version suitable for your operating system from the ChatBox official website and install it.
https://chatboxai.app/en
Configure the API interface
In the ChatBox settings, configure the API address to the target machine's address, for example:

image

Step 2: Query Open Ollama Interfaces via FOFA#

FOFA is a powerful cyberspace search engine that can help us filter publicly exposed services worldwide. For machines that have deployed Ollama, as long as their service configuration is improper (for example, bound to 0.0.0.0 and firewall rules are loose), they may be discovered by FOFA.

https://en.fofa.info/

image

Step 3: In the ChatBox settings, configure the API address to the target machine's address#

image

image

Remember to save.
Then you can use it happily.

Step 4:#

How to Prevent Your Local Deployment from Being Remotely Exploited by Others#

If you have deployed the Ollama model service locally but do not want others to access it freely (i.e., "being exploited"), you can refer to the following security measures and follow the beginner's steps:

4.1 Limit Listening Address#

Steps (taking Linux as an example):#

  1. Find the Configuration File

    • Locate the configuration file for the Ollama service (e.g., /etc/ollama/config.conf), and look for a setting like bind_address = 0.0.0.0.

  2. Modify the Binding Address

    • Change the binding address to 127.0.0.1, for example: 
      bind_address = 127.0.0.1
port = 11434

  3. Save and Restart the Service

    • After saving the configuration file, run: 
      sudo systemctl restart ollama
    • This way, the service will only listen on the local machine, and external access will not be possible.

4.2 Configure Firewall Rules#

Windows Environment:#

  1. Open "Control Panel" → "System and Security" → "Windows Defender Firewall," and click on "Advanced settings."
  2. Create a new inbound rule, select "Port," specify TCP and port number 11434.
  3. Choose "Allow the connection," and in "Remote IP addresses," only add the internal IP range you trust (e.g., 192.168.1.0/24).
  4. After saving the rule, access requests from other IPs will be denied.

Linux Environment (taking ufw as an example):#

  1. Enable ufw: 
    sudo ufw enable
  2. Allow access from internal IPs: 
    sudo ufw allow from 192.168.1.0/24 to any port 11434
  3. If the default policy is not to deny, you can add a deny rule: 
    sudo ufw deny 11434
  4. Check the rules to confirm: 
    sudo ufw status verbose

4.3 Enable Authentication and Access Control#

If the service must be open to the outside, you can add authentication at the application layer:

Simple Authentication Based on Node.js/Express:#

  • Use the basic-auth module to add authentication middleware in the code, allowing only users who enter the correct username and password to access the service.

Web Server (Apache/Nginx) Basic Authentication Configuration:#

  • Use the htpasswd tool to generate a password file, then enable basic authentication in Apache's .htaccess or Nginx configuration.
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.