Breach report
Ollama in the open: 1,139 LLM servers on Shodan, hundreds answering with no auth
What happened
Cisco researchers scanned Shodan for exposed Ollama servers — a popular tool for self-hosting local LLMs — and found 1,139 instances reachable on Ollama's default port 11434. Of those, 214 (about 18.8%) were actively hosting and responding with live models, requiring no credentials; the rest were reachable but dormant. Because the endpoints enforced no authentication, anyone could send prompts, enumerate and pull models, run model-extraction attacks through repeated querying, upload and execute models, and consume the host's compute at will. Exposure concentrated in the United States, China, and Germany.
Root cause
Ollama, like many self-hosted AI runtimes, binds an HTTP API with no authentication by default (CWE-306, missing authentication for a critical function). Operators expose the port to the internet — often to reach it from another machine — without putting an auth layer or network boundary in front. The server works and answers prompts, so it looks fine; the missing invariant is "only authorized callers may use this model and this hardware." An open inference endpoint is a free GPU and a data-exfiltration surface for anyone who finds it.
How it would have been caught
An external check that curls the model API from off-host with no credentials and asserts the request is refused flips red against any exposed instance. An asset scan for port 11434 (and equivalent LLM-runtime ports) reachable from the public internet catches the exposure. The reproduction is a single unauthenticated POST /api/generate that returns a completion.
How to prevent it
- Do not expose inference runtimes directly to the internet. Bind to localhost, and reach them through an authenticated reverse proxy or a private network/VPN.
- Require authentication and rate limiting on every model endpoint; treat compute as a billable resource worth protecting.
- Continuously scan your own address space for open AI ports and fail the check if any respond to unauthenticated prompts.
The Breachwire test (red → green)
From an external host with no credentials, send a prompt to the model API and confirm it returns a completion — the RED proof the server is open. Put the runtime behind an authenticated proxy or bind it to localhost/VPN, then confirm the same unauthenticated external request is refused, while an authorized internal caller still gets completions.