ElasticSearch is being attacked?

ClubberLang · July 27, 2020, 9:44am

Hi,

I have installed ES since month now, everything was fine until Friday.
Each time, I need to restore ES manually (Delete / Restart / Launch my jobs).

But since Friday, after a few hours, everything is down again!

My ES is running on a docker image (No Kibana, No Logstah), and is not open to the external.
It is only open to the "Swarm internal network" allowing other components to communicate with.
So, it "should" be secure I suppose (or not)!

Noticed that I'm new to ES, sorry if I ask basic questions.

So, I have checked the logs (see the extract) and see the following kind of line, it looks like "something" is playing/deleting indexes ? How is it possible and how to fix it ? (see the MetadataDeleteIndexService playing with it)

Your help is welcome, Thanks

5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:12,810Z", "level": "INFO", "component": "o.e.c.m.MetadataCreateIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[d6kqcgz08k-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:14,232Z", "level": "INFO", "component": "o.e.c.m.MetadataDeleteIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[.kibana-event-log-7.8.0-000001/WaQFc6XpSa-SKTiNsAboRA] deleting index", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:14,920Z", "level": "INFO", "component": "o.e.c.m.MetadataDeleteIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[.apm-custom-link/lIiacYWUSK2d6Ia247DW7g] deleting index", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:15,539Z", "level": "INFO", "component": "o.e.c.m.MetadataDeleteIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[.kibana_task_manager_1/8tL_aAaYTgOog9JF23ZigQ] deleting index", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:16,151Z", "level": "INFO", "component": "o.e.c.m.MetadataDeleteIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[posts_index/G8VYnDk6Qp-6pp1YZ8LiCg] deleting index", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:16,839Z", "level": "INFO", "component": "o.e.c.m.MetadataDeleteIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[.apm-agent-configuration/bakyQOuJR96cCrl_Su-STg] deleting index", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:17,443Z", "level": "INFO", "component": "o.e.c.m.MetadataDeleteIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[.kibana_1/IYStrpWFTJ2HiqrAz0X2qw] deleting index", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:18,060Z", "level": "INFO", "component": "o.e.c.m.MetadataDeleteIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[stores_index/53b8hIjIQ9GdTqcGPaHXxg] deleting index", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:18,734Z", "level": "INFO", "component": "o.e.c.m.MetadataCreateIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[9tt6tbxz1z-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:19,487Z", "level": "INFO", "component": "o.e.c.m.MetadataCreateIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[0wjk12ye55-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:20,341Z", "level": "INFO", "component": "o.e.c.m.MetadataCreateIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[21is15fydk-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:21,091Z", "level": "INFO", "component": "o.e.c.m.MetadataCreateIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[86ry74feso-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:21,950Z", "level": "INFO", "component": "o.e.c.m.MetadataCreateIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[0pmopwq4s8-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:22,711Z", "level": "INFO", "component": "o.e.c.m.MetadataCreateIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[mj25ghvf6c-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:22,877Z", "level": "INFO", "component": "o.e.c.m.MetadataCreateIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[stores_index] creating index, cause [api], templates [], shards [1]/[1], mappings [_doc]", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:23,381Z", "level": "INFO", "component": "o.e.c.m.MetadataCreateIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[posts_index] creating index, cause [api], templates [], shards [1]/[1], mappings [_doc]", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:24,571Z", "level": "INFO", "component": "o.e.c.m.MetadataCreateIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[cqpx9c2tdu-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:25,643Z", "level": "INFO", "component": "o.e.c.m.MetadataCreateIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[wk73nw8rfs-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:26,519Z", "level": "INFO", "component": "o.e.c.m.MetadataCreateIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[sf3d9y6r31-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }
5va5w  {"type": "server", "timestamp": "2020-07-27T08:48:27,366Z", "level": "INFO", "component": "o.e.c.m.MetadataCreateIndexService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "[zk0p39mxed-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []", "cluster.uuid": "WKZ_vTKIQ4GkIPn1KIx7Gw", "node.id": "T1w-1R6LRoqnVfbnF67z-Q"  }

Christian_Dahlqvist · July 27, 2020, 9:48am

Yes, it seems it is being attacked, so you should secure it. Have a look at this thread.

This means it likely is open to the internet even though you state it is not.

ClubberLang · July 28, 2020, 6:33am

Thanks Christian,

So, I have try to secure my ES, with basic authentication.
But again, Elastic is down... how is it possible

I checkek the log and I see the following message (with ES 7.8.0):

"Active license is now [BASIC]; Security is disabled"

But security is free since v7.1, I think!
Also, Elastic is only accessible through an internal docker network

Any idea ?

Christian_Dahlqvist · July 28, 2020, 8:07am

What does your docker file look like? Which image are you using?

system · August 25, 2020, 8:07am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.