Elastic Endpoint: securing elasticsearch (port 9200) server public access from brute force attacks

Hi team,

My elastic stack is currently working and endpoint security is working and is being managed by fleet. I'm planning to expose port 8220 and 9200 so my mobile endpoints can search the server when outside the company. Besides enabling x-pack, what else can we do to secure Elasticsearch (9200) access? my main concern is http basic auth brute force attacks.

If you are using Elasticsearch with CCS or CCR features, you will need to expose port 9300.

Any service with public ports should be protected. This usually means multiple layers of protection, including but not limited to proxies, firewalls, logging, security detecting+filtering, etc.

If you use Elastic Cloud, Elastic provides all of this and more.

If you self host Elastic ECE, you get a lot of the same features.

If you self manage Elastic Stack, you have to decide what you need based on your requirements. For example, Elasticsearch port 9300 communication uses TLS Mutual Authentication, so an L7 proxy/firewall would be appropriate. However, port 9200 communication is most commonly configured for TLS Server Authentication, so you have to decide if you want L4 or L7 for that proxy/firewall.

A third-party L7 proxy/firewall is an example of how to throttle simple brute force attacks.

Another option is use a SAML 1.0 realm or OIDC 2.0 realm. Elasticsearch supports integration with many third-party providers.

Another option is moving away from basic auth, and using TLS Mutual Authentication. Elasticsearch supports mTLS authentication. You use a PKI realm to authorized clients via role mapping.

Again, you get many of these things included (and more!) when you deploy on Elastic Cloud.