How can I secure an Open ElasticSearch Server?

What is an 'Open ElasticSearch Server'?
Your ElasticSearch instance is currently not secure and allows anyone on the internet to access and possibly fully control it.

This could be especially problematic if this instance has dynamic scripting enabled. The scripting engine can be abused to launch a denial of service attack.

Recommended action
You should configure your firewall to only allow connections from trusted sources. Usually the ElasticSearch service runs on port 9200/tcp. To do this please take the following 3 steps:

1. Create a rule to allow any needed services. You will need at least SSH allowed so that you can log in the server. To allow worldwide access to SSH, whitelist port 22. Given example is based on Linux ufw (Uncomplicated Firewall)

sudo ufw allow 22

2. Allow the connection from your trusted IP address to the ElasticSearch by entering the following command:

sudo ufw allow from YOURTRUSTEDIP to any port 9200

As ufw is installed but not enabled by default you might need to enable it.

sudo ufw enable

3. Finally check the status of ufw.

sudo ufw status

If everything is correct it should look like this:

Status: active

To Action From
-- ------ ----
9200 ALLOW YOURTRUSTEDIP

Once ufw is enabled and 9200 is protected you can allow ElasticSearch to listen to external connections.

 

To check if it's actually closed you can use the following tool called 'nmap'.

sudo nmap -sS -p 9200 <ip address here>

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.

Articles in this section