Index keeps getting deleted and new index created called read-me-to-recover-data is created

Every few days my Elasticsearch index gets deleted. I assume this is due to me running with the following:

xpack.security.enabled: false

When my index is deleted a new index with the name:

read-me-to-recover-data

is created. Here's what is contained in this index:

[root@host ~]# curl -XGET 'http://localhost:9200/read-me-to-recover-data/_mapping?pretty=true'
{
  "read-me-to-recover-data" : {
    "mappings" : {
      "properties" : {
        "message" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        }
      }
    }
  }
}

If I set xpack.security.enabled to true, then I'm not able to access my index. I only have Elasticsearch, I don't have nor do I want to use Kibana.

Your cluster is exposed to the public internet without authentication, in this case everyone would have access to your cluster and can do what they want.

You need to enable authentication, and I would recommend to not expose your cluster to the public internet even with security enabled.

1 Like

See @leandrojmp answer here

And @AndyX Welcome to the community now Secure your Cluster from the beginning!!!

What I don't understand is how is the cluster exposed to the public. Wouldn't a password be required to execute any command on my web server?

I'm using a forum software called XenForo, they provide a search which uses Elasticsearch. So the public uses this search to find post information. So I don't understand how I would not allow the public to use the search.

Thank you for your time explaining things.

No because security is explicitly disabled, so no password is needed to do anything in your cluster.

Where are you running your cluster and how are you running it? What does your elasticsearch.yml looks like?

Just an example, assume that you are running an Elasticsearch instance on an ec2 on AWS, if this ec2 has an elastic ip associated to it to be able to receive request from the public internet and the security groups/acls are not correctly configured, your cluster may be exposed to the public internet.

I do not know this software, but it seems that it uses Elasticsearch to provide search functionality and the forum software should be able to talk with the Elasticsearch instance using a private IP address, you don't need to expose your elasticsearch, only the machine running the forum software should be able to access the elasticsearch instance.

Because the XenForo software does not support authentication, I set xpack.security.enabled to false.

Using cPanel WHM

WHM -> Plugins -> ConfigServer Security & Firewall

I now removed 9200 from this part of the firewall setting:

Hopefully this will now prevent my Elasticsearch index from being deleted by hackers.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.