Skip to main content

Securing an Open Elasticsearch Server

Elasticsearch is a powerful search engine, but it lacks built-in security features in its default open-source configuration. By default, it assumes it is running in a trusted environment.

Security Warning:
Leaving port 9200 open to the public internet allows anyone to delete your data, steal your information, or install ransomware.
You must restrict access using a firewall.

Step 1: Restrict Network Access (Firewall)

Before configuring Elasticsearch to listen on a public interface, you must ensure only your trusted IP address can connect to it.

Option A: UFW (Ubuntu / Debian)

1. First, ensure you don't lock yourself out by allowing SSH:

sudo ufw allow 22/tcp

2. Allow access to Elasticsearch (Port 9200) only from your trusted IP (e.g., your office VPN or web server):

# Syntax: sudo ufw allow from <TRUSTED_IP> to any port 9200
sudo ufw allow from 1.2.3.4 to any port 9200

3. Enable the firewall:

sudo ufw enable
sudo ufw status
[Image of firewall allowing traffic]

Option B: FirewallD (CentOS / AlmaLinux / RHEL)

1. Add a "Rich Rule" to accept traffic from your trusted IP on port 9200:

sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="1.2.3.4" port protocol="tcp" port="9200" accept'

2. Reload the firewall to apply changes:

sudo firewall-cmd --reload

Step 2: Configure Network Binding

By default, Elasticsearch only listens on localhost. Once your firewall is secure (Step 1), you can configure it to listen on your public or private network interface.

1. Open the configuration file:

sudo nano /etc/elasticsearch/elasticsearch.yml

2. Find the network.host setting. Uncomment it and set it to your server's IP address:

# /etc/elasticsearch/elasticsearch.yml
network.host: 192.168.1.10  # Use your server's private or public IP

Step 3: Hardening (Disable Scripting)

To prevent attackers from executing malicious code via the API (should they bypass the firewall), it is recommended to disable inline scripting if you do not use it.

1. Add the following line to the end of elasticsearch.yml:

script.allowed_types: none

2. Restart Elasticsearch to apply all changes:

# Ubuntu / Debian
sudo systemctl restart elasticsearch

# CentOS / RHEL
sudo systemctl restart elasticsearch