HowTo - Secure an Open ElasticSearch Server?

Elasticsearch is a real-time distributed data search and analysis platform. Its popularity is due to its ease of use, robust features, and scalability. It is a free and open-source search engine supported by a reputable company, Elastic. Because of its combination, it is suitable for a wide range of applications, from personal testing to corporate integration. 

Because Elasticsearch lacks built-in security, anyone who can use the HTTP API can manage it. This could be especially troublesome if dynamic scripting is enabled in this instance. A denial of service attack can be launched using the scripting engine. 

Securing Elasticsearch on Ubuntu 

If you need to enable remote access to the HTTP API, you can limit network exposure by using Ubuntu's default firewall, UFW. 

Before activating UFW, add the necessary rules. Remote SSH access necessitates allowing access on port 22. (or the custom port if you changed the default SSH configuration). 

1. In the terminal, type: 

sudo ufw allow 22 

2. We'll now configure the firewall to enable access to the trusted remote host's default Elasticsearch HTTP API port (TCP 9200), which is usually the server you're using in a single-server setup. 

sudo ufw allow from YOURTRUSTEDIP to any port 9200 

Replace YOURTRUSTEDIP with the IP address of the remote machine from which Elasticsearch will be accessed. 

3. Once that's done, use the following command to enable UFW: 

sudo ufw enable 

4. Finally, use the following command to verify the status of UFW: 

sudo ufw status 

If you have specified the rules correctly, you should receive output like this: 

Status: active 
To                         Action      From
--                         ------      ----
9200                       ALLOW      YOURTRUSTEDIP 

Elasticsearch port 9200 should now be protected by the UFW, which has been activated and configured. 

Securing Elasticsearch on CentOS 7 

Elasticsearch is set up to listen solely on the localhost network interface by default, which means that distant connections are not possible. 

Only after you've completed the preceding steps should you consider permitting Elasticseach to listen on network interfaces other than localhost.  

1. Open the elasticsearch.yml file to adjust the network exposure: 

sudo nano /etc/elasticsearch/elasticsearch.yml 

2. Find the line containing network.host in this file, uncomment it by deleting the # character at the line's beginning, and then modify the value to the IP address of the protected network interface. This is what the line will look like: 

/etc/elasticsearch/elasticsearch.yml 
...
network.host: YOURTRUSTEDIP
... 

Replace YOURTRUSTEDIP with the IP address of the remote machine from which Elasticsearch will be accessed. 

3. You may also deactivate scripts that are used to evaluate custom expressions for further security. An attacker could infiltrate your environment by creating a bespoke harmful expression. 

Add the following line at the end of the /etc/elasticsearch/elasticsearch.yml file to disable custom expressions: 

/etc/elasticsearch/elasticsearch.yml 
...
script.allowed_types: none
... 

4. Elasticsearch must be restarted for the above modifications to take effect. 

sudo service elasticsearch restart 
Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.

Articles in this section