ElasticSearch is being attacked?

ClubberLang · July 27, 2020, 9:44am

Hi,

I have installed ES since month now, everything was fine until Friday.
Each time, I need to restore ES manually (Delete / Restart / Launch my jobs).

But since Friday, after a few hours, everything is down again!

My ES is running on a docker image (No Kibana, No Logstah), and is not open to the external.
It is only open to the "Swarm internal network" allowing other components to communicate with.
So, it "should" be secure I suppose (or not)!

Noticed that I'm new to ES, sorry if I ask basic questions.

So, I have checked the logs (see the extract) and see the following kind of line, it looks like "something" is playing/deleting indexes ? How is it possible and how to fix it ? (see the MetadataDeleteIndexService playing with it)

Your help is welcome, Thanks

5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:12,810Z", "level": "INFO", "component": "o.e.c.m.MetadataCreateIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[d6kqcgz08k-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:14,232Z", "level": "INFO", "component": "o.e.c.m.MetadataDeleteIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[.kibana-event-log-7.8.0-000001/WaQFc6XpSa-SKTiNsAboRA] deleting index", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:14,920Z", "level": "INFO", "component": "o.e.c.m.MetadataDeleteIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[.apm-custom-link/lIiacYWUSK2d6Ia247DW7g] deleting index", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:15,539Z", "level": "INFO", "component": "o.e.c.m.MetadataDeleteIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[.kibana_task_manager_1/8tL_aAaYTgOog9JF23ZigQ] deleting index", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:16,151Z", "level": "INFO", "component": "o.e.c.m.MetadataDeleteIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[posts_index/G8VYnDk6Qp-6pp1YZ8LiCg] deleting index", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:16,839Z", "level": "INFO", "component": "o.e.c.m.MetadataDeleteIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[.apm-agent-configuration/bakyQOuJR96cCrl_Su-STg] deleting index", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:17,443Z", "level": "INFO", "component": "o.e.c.m.MetadataDeleteIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[.kibana_1/IYStrpWFTJ2HiqrAz0X2qw] deleting index", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:18,060Z", "level": "INFO", "component": "o.e.c.m.MetadataDeleteIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[stores_index/53b8hIjIQ9GdTqcGPaHXxg] deleting index", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:18,734Z", "level": "INFO", "component": "o.e.c.m.MetadataCreateIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[9tt6tbxz1z-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:19,487Z", "level": "INFO", "component": "o.e.c.m.MetadataCreateIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[0wjk12ye55-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:20,341Z", "level": "INFO", "component": "o.e.c.m.MetadataCreateIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[21is15fydk-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:21,091Z", "level": "INFO", "component": "o.e.c.m.MetadataCreateIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[86ry74feso-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:21,950Z", "level": "INFO", "component": "o.e.c.m.MetadataCreateIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[0pmopwq4s8-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:22,711Z", "level": "INFO", "component": "o.e.c.m.MetadataCreateIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[mj25ghvf6c-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:22,877Z", "level": "INFO", "component": "o.e.c.m.MetadataCreateIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[stores_index] creating index, cause [api], templates [], shards [1]/[1], mappings [_doc]", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:23,381Z", "level": "INFO", "component": "o.e.c.m.MetadataCreateIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[posts_index] creating index, cause [api], templates [], shards [1]/[1], mappings [_doc]", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:24,571Z", "level": "INFO", "component": "o.e.c.m.MetadataCreateIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[cqpx9c2tdu-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:25,643Z", "level": "INFO", "component": "o.e.c.m.MetadataCreateIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[wk73nw8rfs-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:26,519Z", "level": "INFO", "component": "o.e.c.m.MetadataCreateIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[sf3d9y6r31-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:27,366Z", "level": "INFO", "component": "o.e.c.m.MetadataCreateIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[zk0p39mxed-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }

Christian_Dahlqvist · July 27, 2020, 9:48am

Yes, it seems it is being attacked, so you should secure it. Have a look at this thread.

This means it likely is open to the internet even though you state it is not.

ClubberLang · July 28, 2020, 6:33am

Thanks Christian,

So, I have try to secure my ES, with basic authentication.
But again, Elastic is down... how is it possible

I checkek the log and I see the following message (with ES 7.8.0):

"Active license is now [BASIC]; Security is disabled"

But security is free since v7.1, I think!
Also, Elastic is only accessible through an internal docker network

Any idea ?

Christian_Dahlqvist · July 28, 2020, 8:07am

What does your docker file look like? Which image are you using?

system · August 25, 2020, 8:07am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
My ElasticSearch Indexes have been mysteriously deleted, how do I debug the cause? Elasticsearch	11	13573	February 17, 2017
Elasticsearch shuts down for no reason Elasticsearch	7	1450	July 6, 2017
Some indexes have been deleted, now I see indexes called meow? Elasticsearch elastic-stack-security	4	1310	August 25, 2020
Why are my indexes automatically removed? Elasticsearch	6	911	August 30, 2023
Indices all gone but i don't think i did it Elasticsearch	2	2269	February 9, 2017

ElasticSearch is being attacked?

Related topics