NC-OLLAMA-001

Ollama not externally accessible

🔴 Critical 🔌 Plugin Expanded 📊 Contributes to expanded score

What this checks

Checks whether Ollama is running and, if so, whether its API port is bound to a public network interface (0.0.0.0) rather than localhost only. The port is discovered automatically from the OLLAMA_HOST environment variable if set, that port is used; otherwise the default port 11434 is checked. An externally accessible Ollama instance allows anyone on the network (or internet) to run model inference, list your models, and exfiltrate data without any authentication.

Why it matters

In early 2026, security researchers (SentinelLABS and Censys) found over 175,000 publicly exposed Ollama instances. Attackers are actively exploiting these in "LLMjacking" campaigns hijacking local models for compute-intensive tasks, exfiltrating model weights, and using exposed endpoints as proxies. Ollama has no built-in authentication. Binding to 0.0.0.0 is the single most dangerous misconfiguration in self-hosted AI setups.

How to fix it

Restrict Ollama to localhost

macOS (launchd):

launchctl setenv OLLAMA_HOST "127.0.0.1"
# Then restart Ollama from the menu bar or:
killall ollama && open -a Ollama

macOS (persistent, via ~/.zshrc or ~/.bashrc):

echo 'export OLLAMA_HOST=127.0.0.1' >> ~/.zshrc
source ~/.zshrc

Linux (systemd):

sudo systemctl edit ollama
# Add to the [Service] section:
[Service]
Environment="OLLAMA_HOST=127.0.0.1"

sudo systemctl daemon-reload && sudo systemctl restart ollama

Verify:

# Should return "connection refused" from a remote machine, or only succeed locally:
curl http://localhost:11434/api/tags

If other machines on your LAN legitimately need access, consider binding to a specific LAN IP and controlling access via firewall rules rather than binding to 0.0.0.0.

Technical details

Field	Value
Control ID	NC-OLLAMA-001
Domain	OLLAMA
Severity	Critical
Status	Expanded (Plugin only)
Data source	`OLLAMA_HOST` env var (port discovery) + `lsof -i :<port>`
Port discovery	Reads `OLLAMA_HOST` to find configured port; falls back to 11434
Mode	Mode 2 (System-level requires plugin expanded mode)
Introduced in	Library v0.2.0
OWASP LLM 2025	LLM02: Sensitive Information Disclosure

False positive notes

If Ollama is intentionally accessible on your LAN (e.g. a shared inference server), and access is controlled via firewall rules, you can exclude this control. Document the reason clearly.

Suppress this finding

If this finding is intentional or not applicable to your setup:

clawvitals exclude NC-OLLAMA-001 reason "LAN-only, protected by firewall"

← All controls NC-NET-001 →