Can Elasticsearch insecure by default?

hack3rcon · December 30, 2018, 9:35am

Hello.
I installed the last version of OpenSUSE and installed Elasticsearch and Kibana on it and nothing else. This Linux server is not ready yet and we never work with it but OpenSUSE uploaded many files and...Something like S-P-Y or...
Some data of captured file are:

17:02:00.298515 IP (tos 0x0, ttl 64, id 46168, offset 0, flags [DF], proto TCP (6), length 64)
    elastic.suse.49642 > 157.52.151.121.opsession-prxy: Flags [.], cksum 0x4535 (incorrect -> 0xbd0a), seq 300, ack 337, win 229, options [nop,nop,TS val 3546870 ecr 14067419,nop,nop,sack 1 {336:
337}], length 0
17:02:04.934564 ARP, Ethernet (len 6), IPv4 (len 4), Reply elastic.suse is-at 00:0c:29:85:5b:a3 (oui Unknown), length 28
17:02:10.578500 IP (tos 0x0, ttl 64, id 46169, offset 0, flags [DF], proto TCP (6), length 64)
    elastic.suse.49642 > 157.52.151.121.opsession-prxy: Flags [.], cksum 0x4535 (incorrect -> 0xb300), seq 300, ack 337, win 229, options [nop,nop,TS val 3549440 ecr 14067419,nop,nop,sack 1 {336:
337}], length 0
17:02:20.858681 IP (tos 0x0, ttl 64, id 46170, offset 0, flags [DF], proto TCP (6), length 64)
    elastic.suse.49642 > 157.52.151.121.opsession-prxy: Flags [.], cksum 0x4535 (incorrect -> 0xa8f6), seq 300, ack 337, win 229, options [nop,nop,TS val 3552010 ecr 14067419,nop,nop,sack 1 {336:
337}], length 0
17:02:23.710156 IP (tos 0x0, ttl 64, id 46171, offset 0, flags [DF], proto TCP (6), length 52)
    elastic.suse.49642 > 157.52.151.121.opsession-prxy: Flags [.], cksum 0x4529 (incorrect -> 0x431a), seq 300, ack 365, win 229, options [nop,nop,TS val 3552723 ecr 14067960], length 0
17:02:33.986522 IP (tos 0x0, ttl 64, id 46172, offset 0, flags [DF], proto TCP (6), length 64)
    elastic.suse.49642 > 157.52.151.121.opsession-prxy: Flags [.], cksum 0x4535 (incorrect -> 0x99b3), seq 300, ack 365, win 229, options [nop,nop,TS val 3555292 ecr 14067960,nop,nop,sack 1 {364:
365}], length 0
        GET /config.rar HTTP/1.1
        Accept: */*
        Accept-Language: zh-cn
        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
        Host: www.s9xk32c.com
        Connection: Keep-Alive

17:03:27.852276 IP (tos 0x0, ttl 64, id 1638, offset 0, flags [DF], proto TCP (6), length 52)
    elastic.suse.40044 > 91.195.240.82.http: Flags [.], cksum 0x5c91 (incorrect -> 0xa168), seq 218, ack 716, win 240, options [nop,nop,TS val 3568759 ecr 949003374], length 0
17:03:29.656511 IP (tos 0x0, ttl 64, id 46178, offset 0, flags [DF], proto TCP (6), length 64)
    elastic.suse.49642 > 157.52.151.121.opsession-prxy: Flags [.], cksum 0x4535 (incorrect -> 0x61a2), seq 300, ack 393, win 229, options [nop,nop,TS val 3569210 ecr 14068311,nop,nop,sack 1 {392:
393}], length 0

As you see, its like virus or...but why?

Other information are:

# tcpdump -r capture.cap -vvv | grep "Host:"
reading from file capture.cap, link-type EN10MB (Ethernet)
        Host: www.s9xk32c.com
        Host: www.s9xk32c.com
        Host: www.s9xk32c.com
        Host: www.s9xk32c.com
        Host: www.s9xk32c.com
        Host: www.s9xk32c.com
        Host: www.s9xk32c.com

# tcpdump -r capture.cap -vvv | grep "GET"
reading from file capture.cap, link-type EN10MB (Ethernet)
        GET /config.rar HTTP/1.1
        GET /config.rar HTTP/1.1
        GET /config.rar HTTP/1.1
        GET /config.rar HTTP/1.1
        GET /config.rar HTTP/1.1
        GET /config.rar HTTP/1.1
        GET /config.rar HTTP/1.1

# systemctl status SuSEfirewall2
SuSEfirewall2.service - SuSEfirewall2 phase 2
   Loaded: loaded (/usr/lib/systemd/system/SuSEfirewall2.service; enabled)
   Active: active (exited) since Sat 2018-12-29 13:03:44 +0330; 22h ago
 Main PID: 2070 (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/SuSEfirewall2.service

Dec 29 13:03:31 elastic systemd[1]: Starting SuSEfirewall2 phase 2...
Dec 29 13:03:31 elastic SuSEfirewall2[2070]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 29 13:03:44 elastic SuSEfirewall2[2070]: Firewall rules successfully set
Dec 29 13:03:44 elastic systemd[1]: Started SuSEfirewall2 phase 2.

# journalctl | grep SuSE*
Dec 11 10:25:33 linux-a725 SuSEfirewall2[1257]: Firewall rules set to CLOSE.
Dec 11 10:25:48 linux-a725 SuSEfirewall2[1726]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 11 10:25:48 linux-a725 SuSEfirewall2[1732]: using default zone 'ext' for interface eth0
Dec 11 10:25:49 linux-a725 SuSEfirewall2[1849]: Firewall rules successfully set
Dec 11 10:28:11 linux-a725 SuSEfirewall2[2293]: Not unloading firewall rules at system shutdown
Dec 15 10:13:36 linux-a725 SuSEfirewall2[1312]: Firewall rules set to CLOSE.
Dec 15 10:13:51 linux-a725 SuSEfirewall2[1770]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 15 10:13:51 linux-a725 SuSEfirewall2[1776]: using default zone 'ext' for interface eth0
Dec 15 10:13:51 linux-a725 SuSEfirewall2[1888]: Firewall rules successfully set
Dec 15 11:30:35 linux-a725 SuSEfirewall2[9698]: Not unloading firewall rules at system shutdown
Dec 15 11:30:53 linux-a725 SuSEfirewall2[1299]: Firewall rules set to CLOSE.
Dec 15 11:31:04 linux-a725 SuSEfirewall2[1808]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 15 11:31:04 linux-a725 SuSEfirewall2[1820]: using default zone 'ext' for interface eth0
Dec 15 11:31:05 linux-a725 SuSEfirewall2[1938]: Firewall rules successfully set
Dec 15 11:49:21 linux-a725 SuSEfirewall2[2933]: Firewall rules unloaded.
Dec 15 11:49:21 linux-a725 SuSEfirewall2[2955]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 15 11:49:21 linux-a725 SuSEfirewall2[2961]: using default zone 'ext' for interface eth0
Dec 15 11:49:22 linux-a725 SuSEfirewall2[3029]: Firewall rules successfully set
.
.
.

Any idea?

Thank you.

dadoonet · December 30, 2018, 11:47am

Did you open your elasticsearch cluster to internet? Without any security?

hack3rcon · December 30, 2018, 12:54pm

Unfortunately yes and as you see someone attacked me. How can I secure it? I know security is a log way but can you show me some basic practice about it? I found https://sematext.com/blog/elasticsearch-security-authentication-encryption-backup/ but I'm thankful if you provide more info.

Thank you.

hack3rcon · December 30, 2018, 8:57pm

Can ELK cause an attacker become root on a system? In my case the attacker was root on my system?

dadoonet · December 31, 2018, 12:06am

I have no idea of what an attacker can do once he has entered in your system.

In general, never expose elasticsearch without any security. I recommend using the official built in security feature (you can activate the trial license if you want to test it).
Or add a security layer in the middle like nginx.

If you just want to have an elasticsearch plus Kibana all working and secured, have a look at cloud.elastic.co.

Normally like a database, it's not required to open elasticsearch to internet. If you have an application which is using elasticsearch, then only the machine where your application is running should have access to your elasticsearch instances.

What are you doing with the stack? What is your use case? Why did you expose elasticsearch initially?

I'd suggest for now to completely kill your machine and start a fresh new one which is not compromised.

hack3rcon · December 31, 2018, 6:20am

Thus my system is compromised?

dadoonet · December 31, 2018, 8:47am

I'm not a security expert so I can't tell. I'm just telling what I'd personally do.

May be others can tell though.

system · January 28, 2019, 8:47am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.