Need Help -- How to Provide Security to "transport.tcp.port [9300-9400]"


(mohammad rafi g) #1

Hi to All,

We are using elasticsearch-0.20.5 Version and it is running on Linux Server.

Now, We need to provide Security to our elasticsearch instance so that with
out Authentication, no one can Hit Our elasticsearch data.

For this, We have installed "http-basic" plugin And also we configured
"nginx" reverse proxy mechanism for Authentication.
We have provided the security to "http port" only.
[with out Authentication, no one is not allowed to access the
elasticsearch data using head plugin or paramedic plugin or using curl
command or java-api{ only for url based data access} ]

As of now, every thing is working fine with http ports.

But, here we have one big security problem, that is:
We are not able to provide security to our "transport.tcp.port" such as
9300-9400.
By using, java-api[which again uses "InetSocketTransportAddress"], there is
possible to access our elasticsaerch data using the transport
ports[9300-9400].
These means we are not able to provide Full Security to our elasticsearch
data.

Here, Our Requirement is, how to provide Security or Authentication to
Transport ports[9300-9400].

Can any one please help us, how to provide security to Transport
ports[9300-9400].

  1. Is there any plugin/add-on so that we can provide security to our
    Transport Ports?
  2. Is there any Technique in Linux[RHEL], so that, we can restrict the
    access to Transport ports, but our elasticsearch would work fine with any
    problem.
    And also, we only can access the Java-Api[which uses
    "InetSocketTransportAddress" to hit he elasticsearch server.

Thanks and Regards,
Mohammad Rafi.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/3d177e26-ccca-40b9-9d4d-a397ace4d81e%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.


(David Pilato) #2

I think you can not secure transport layer with elasticsearch itself.
You should consider either using only HTTP layer or give restriction by IP on a network level (firewall).

In my former job, elasticsearch was part of the backend layer like databases was as well.
Only service layer has access to our backend.

My 2 cents.

--
David :wink:
Twitter : @dadoonet / @elasticsearchfr / @scrutmydocs

Le 11 déc. 2013 à 06:26, rafi me.mrafi.en@gmail.com a écrit :

Hi to All,

We are using elasticsearch-0.20.5 Version and it is running on Linux Server.

Now, We need to provide Security to our elasticsearch instance so that with out Authentication, no one can Hit Our elasticsearch data.

For this, We have installed "http-basic" plugin And also we configured "nginx" reverse proxy mechanism for Authentication.
We have provided the security to "http port" only.
[with out Authentication, no one is not allowed to access the elasticsearch data using head plugin or paramedic plugin or using curl command or java-api{ only for url based data access} ]

As of now, every thing is working fine with http ports.

But, here we have one big security problem, that is:
We are not able to provide security to our "transport.tcp.port" such as 9300-9400.
By using, java-api[which again uses "InetSocketTransportAddress"], there is possible to access our elasticsaerch data using the transport ports[9300-9400].
These means we are not able to provide Full Security to our elasticsearch data.

Here, Our Requirement is, how to provide Security or Authentication to Transport ports[9300-9400].

Can any one please help us, how to provide security to Transport ports[9300-9400].

  1. Is there any plugin/add-on so that we can provide security to our Transport Ports?
  2. Is there any Technique in Linux[RHEL], so that, we can restrict the access to Transport ports, but our elasticsearch would work fine with any problem.
    And also, we only can access the Java-Api[which uses "InetSocketTransportAddress" to hit he elasticsearch server.

Thanks and Regards,
Mohammad Rafi.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/3d177e26-ccca-40b9-9d4d-a397ace4d81e%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/6BBBBDBA-EDE1-4BFD-A262-A997113D6ED1%40pilato.fr.
For more options, visit https://groups.google.com/groups/opt_out.


(Jörg Prante) #3
  1. You ask for protecting network ports. Network is effectively secured at
    operating system level or on switches/router devices in a data center. A
    plugin can not provide security on operating system level, it works on
    application level. If an attacker can reach the application, some attack
    styles can not be rejected, for example denial of service attacks.

  2. This question is not related to ES, please refer to iptables in
    https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Firewalls.html

I suggest setting up ES servers in a private IP network (10.x.x.x,
192.168.0.0) that is not reachable because the gateway rejects requests
from outside. This is easier to administrate, and avoids ES servers being
exposed to network traffic without the need to modify the network
configuration of each server.

Jörg

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAKdsXoGoO%3D-uGQp7m3udh7L%2BJ0XQ48bQPhE-fyZKosYip7UwWw%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.


(system) #4