Index keeps getting deleted and new index created called read-me-to-recover-data is created

AndyX · August 2, 2023, 4:34am

Every few days my Elasticsearch index gets deleted. I assume this is due to me running with the following:

xpack.security.enabled: false

When my index is deleted a new index with the name:

read-me-to-recover-data

is created. Here's what is contained in this index:

[root@host ~]# curl -XGET 'http://localhost:9200/read-me-to-recover-data/_mapping?pretty=true'
{
  "read-me-to-recover-data" : {
    "mappings" : {
      "properties" : {
        "message" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        }
      }
    }
  }
}

If I set xpack.security.enabled to true, then I'm not able to access my index. I only have Elasticsearch, I don't have nor do I want to use Kibana.

leandrojmp · August 2, 2023, 4:43am

Your cluster is exposed to the public internet without authentication, in this case everyone would have access to your cluster and can do what they want.

You need to enable authentication, and I would recommend to not expose your cluster to the public internet even with security enabled.

stephenb · August 2, 2023, 4:44am

See @leandrojmp answer here

And @AndyX Welcome to the community now Secure your Cluster from the beginning!!!

AndyX · August 2, 2023, 5:12am

What I don't understand is how is the cluster exposed to the public. Wouldn't a password be required to execute any command on my web server?

I'm using a forum software called XenForo, they provide a search which uses Elasticsearch. So the public uses this search to find post information. So I don't understand how I would not allow the public to use the search.

Thank you for your time explaining things.

leandrojmp · August 2, 2023, 5:27am

No because security is explicitly disabled, so no password is needed to do anything in your cluster.

Where are you running your cluster and how are you running it? What does your elasticsearch.yml looks like?

Just an example, assume that you are running an Elasticsearch instance on an ec2 on AWS, if this ec2 has an elastic ip associated to it to be able to receive request from the public internet and the security groups/acls are not correctly configured, your cluster may be exposed to the public internet.

I do not know this software, but it seems that it uses Elasticsearch to provide search functionality and the forum software should be able to talk with the Elasticsearch instance using a private IP address, you don't need to expose your elasticsearch, only the machine running the forum software should be able to access the elasticsearch instance.

AndyX · August 2, 2023, 4:06pm

Because the XenForo software does not support authentication, I set xpack.security.enabled to false.

Using cPanel WHM

WHM -> Plugins -> ConfigServer Security & Firewall

I now removed 9200 from this part of the firewall setting:

Hopefully this will now prevent my Elasticsearch index from being deleted by hackers.

system · August 30, 2023, 4:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Why are my indexes automatically removed? Elasticsearch	6	896	August 30, 2023
Index is getting deleted automatically Elasticsearch	4	562	September 21, 2023
Accidentally deleted .security index for x-pack Elasticsearch	4	12052	March 30, 2022
Build-in users' passwords gone after service restart Elasticsearch elastic-stack-security	10	1138	August 3, 2021
Index deleted and create weird new index Kibana	5	244	January 9, 2021

Index keeps getting deleted and new index created called read-me-to-recover-data is created

Related Topics