We are using elasticsearch-0.20.5 Version and it is running on Linux Server.
Now, We need to provide Security to our elasticsearch instance so that with
out Authentication, no one can Hit Our elasticsearch data.
For this, We have installed "http-basic" plugin And also we configured
"nginx" reverse proxy mechanism for Authentication.
We have provided the security to "http port" only.
[with out Authentication, no one is not allowed to access the
elasticsearch data using head plugin or paramedic plugin or using curl
command or java-api{ only for url based data access} ]
As of now, every thing is working fine with http ports.
But, here we have one big security problem, that is:
We are not able to provide security to our "transport.tcp.port" such as
9300-9400.
By using, java-api[which again uses "InetSocketTransportAddress"], there is
possible to access our elasticsaerch data using the transport
ports[9300-9400].
These means we are not able to provide Full Security to our elasticsearch
data.
Here, Our Requirement is, how to provide Security or Authentication to
Transport ports[9300-9400].
Can any one please help us, how to provide security to Transport
ports[9300-9400].
Is there any plugin/add-on so that we can provide security to our
Transport Ports?
Is there any Technique in Linux[RHEL], so that, we can restrict the
access to Transport ports, but our elasticsearch would work fine with any
problem.
And also, we only can access the Java-Api[which uses
"InetSocketTransportAddress" to hit he elasticsearch server.
I think you can not secure transport layer with elasticsearch itself.
You should consider either using only HTTP layer or give restriction by IP on a network level (firewall).
In my former job, elasticsearch was part of the backend layer like databases was as well.
Only service layer has access to our backend.
My 2 cents.
--
David
Twitter : @dadoonet / @elasticsearchfr / @scrutmydocs
We are using elasticsearch-0.20.5 Version and it is running on Linux Server.
Now, We need to provide Security to our elasticsearch instance so that with out Authentication, no one can Hit Our elasticsearch data.
For this, We have installed "http-basic" plugin And also we configured "nginx" reverse proxy mechanism for Authentication.
We have provided the security to "http port" only.
[with out Authentication, no one is not allowed to access the elasticsearch data using head plugin or paramedic plugin or using curl command or java-api{ only for url based data access} ]
As of now, every thing is working fine with http ports.
But, here we have one big security problem, that is:
We are not able to provide security to our "transport.tcp.port" such as 9300-9400.
By using, java-api[which again uses "InetSocketTransportAddress"], there is possible to access our elasticsaerch data using the transport ports[9300-9400].
These means we are not able to provide Full Security to our elasticsearch data.
Here, Our Requirement is, how to provide Security or Authentication to Transport ports[9300-9400].
Can any one please help us, how to provide security to Transport ports[9300-9400].
Is there any plugin/add-on so that we can provide security to our Transport Ports?
Is there any Technique in Linux[RHEL], so that, we can restrict the access to Transport ports, but our elasticsearch would work fine with any problem.
And also, we only can access the Java-Api[which uses "InetSocketTransportAddress" to hit he elasticsearch server.
You ask for protecting network ports. Network is effectively secured at
operating system level or on switches/router devices in a data center. A
plugin can not provide security on operating system level, it works on
application level. If an attacker can reach the application, some attack
styles can not be rejected, for example denial of service attacks.
I suggest setting up ES servers in a private IP network (10.x.x.x,
192.168.0.0) that is not reachable because the gateway rejects requests
from outside. This is easier to administrate, and avoids ES servers being
exposed to network traffic without the need to modify the network
configuration of each server.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
