Possible to turn off/suppress version data in response to GET http://localhost:9200?


(Josh Harrison) #1

The subject says it all pretty much, is it possible to turn off the
reporting of version data in response to GET http://localhost:9200?
Thanks,
Josh

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/7962249a-610f-4ee6-9496-a1cf14df8d95%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.


(Ivan Brusic) #2

From what I can tell from the code, it appears that you can disable
returning the version field.

--
Ivan

On Thu, Dec 19, 2013 at 12:27 PM, Josh Harrison hijakk@gmail.com wrote:

The subject says it all pretty much, is it possible to turn off the
reporting of version data in response to GET http://localhost:9200?
Thanks,
Josh

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/7962249a-610f-4ee6-9496-a1cf14df8d95%40googlegroups.com
.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CALY%3DcQCr90U9jJSt5Crc26ut-s3eHTUZSo%3Dj4kU17A7BJs6BWA%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.


(Josh Harrison) #3

To clarify, when I go to http://localhost:9200, I want to get back

{
"ok" : true,
"status" : 200,
"name" : "Stem Cell",
"tagline" : "You Know, for Search"
}

Not

{
"ok" : true,
"status" : 200,
"name" : "Stem Cell",
"version" : {
"number" : "0.90.5",
"build_hash" : "c8714e8e0620b62638f660f6144831792b9dedee",
"build_timestamp" : "2013-09-17T13:09:46Z",
"build_snapshot" : false,
"lucene_version" : "4.4"
},
"tagline" : "You Know, for Search"
}

I poked around in the code and the only code place I fine "You Know, for
Search" is


There doesn't appear to be an explicit flag that would allow me to suppress
that, but perhaps that's somewhere else? My IT folks are in a tizzy that
version information is being displayed, saying it's a major security risk.
Sigh.
Honestly, if it doesn't break something else, I wouldn't mind if there was
just a way to turn off that default response entirely. That'd do it too.

On Thursday, December 19, 2013 12:50:29 PM UTC-8, Ivan Brusic wrote:

From what I can tell from the code, it appears that you can disable
returning the version field.

--
Ivan

On Thu, Dec 19, 2013 at 12:27 PM, Josh Harrison <hij...@gmail.com<javascript:>

wrote:

The subject says it all pretty much, is it possible to turn off the
reporting of version data in response to GET http://localhost:9200?
Thanks,
Josh

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearc...@googlegroups.com <javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/7962249a-610f-4ee6-9496-a1cf14df8d95%40googlegroups.com
.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/dbd5cd20-6b39-46f8-bab8-b6c37de21c26%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.


(Ivan Brusic) #4

Just having the REST endpoint open is a security risk. :slight_smile: You can always
put a proxy in front of elasticsearch that intercepts certain calls such as
PUT, POST, DELETE or simply / in your case.

Normally in elasticsearch, a request is built with various parameters via a
builder and then the resulting response will have the correct fields. You
can see an example with the nodes stats:

https://github.com/elasticsearch/elasticsearch/blob/master/src/main/java/org/elasticsearch/rest/action/admin/cluster/node/stats/RestNodesStatsAction.java

The main action does not really have specific request/response classes. You
can try raising an issue or even submitting a pull request yourself, but I
do not see this issue as being very important. That is just my guess.

--
Ivan

On Thu, Dec 19, 2013 at 2:52 PM, Josh Harrison hijakk@gmail.com wrote:

To clarify, when I go to http://localhost:9200, I want to get back

{
"ok" : true,
"status" : 200,
"name" : "Stem Cell",
"tagline" : "You Know, for Search"
}

Not

{
"ok" : true,
"status" : 200,
"name" : "Stem Cell",
"version" : {
"number" : "0.90.5",
"build_hash" : "c8714e8e0620b62638f660f6144831792b9dedee",
"build_timestamp" : "2013-09-17T13:09:46Z",
"build_snapshot" : false,
"lucene_version" : "4.4"
},
"tagline" : "You Know, for Search"
}

I poked around in the code and the only code place I fine "You Know, for
Search" is

https://github.com/elasticsearch/elasticsearch/blob/c20d4bb69ed29cf11a747f0fdc40ce4237f79ce4/src/main/java/org/elasticsearch/rest/action/main/RestMainAction.java
There doesn't appear to be an explicit flag that would allow me to
suppress that, but perhaps that's somewhere else? My IT folks are in a
tizzy that version information is being displayed, saying it's a major
security risk. Sigh.
Honestly, if it doesn't break something else, I wouldn't mind if there was
just a way to turn off that default response entirely. That'd do it too.

On Thursday, December 19, 2013 12:50:29 PM UTC-8, Ivan Brusic wrote:

From what I can tell from the code, it appears that you can disable
returning the version field.

--
Ivan

On Thu, Dec 19, 2013 at 12:27 PM, Josh Harrison hij...@gmail.com wrote:

The subject says it all pretty much, is it possible to turn off the
reporting of version data in response to GET http://localhost:9200?
Thanks,
Josh

--
You received this message because you are subscribed to the Google
Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to elasticsearc...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/
msgid/elasticsearch/7962249a-610f-4ee6-9496-a1cf14df8d95%
40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/dbd5cd20-6b39-46f8-bab8-b6c37de21c26%40googlegroups.com
.

For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CALY%3DcQBcYEm%3DsKkoiQiM-LGKdPYZoEjQH9wqw2%3DWUPYR7xwvNg%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.


(Josh Harrison) #5

Yeah, it's been looking like a proxy is the way to go. If it was an already
existing functionality allowing me to suppress the version info from /, I'd
have been happy to use that, but I agree - it isn't worth anyone's time to
add this.
Thanks Ivan!
-Josh

On Thursday, December 19, 2013 3:04:15 PM UTC-8, Ivan Brusic wrote:

Just having the REST endpoint open is a security risk. :slight_smile: You can always
put a proxy in front of elasticsearch that intercepts certain calls such as
PUT, POST, DELETE or simply / in your case.

Normally in elasticsearch, a request is built with various parameters via
a builder and then the resulting response will have the correct fields. You
can see an example with the nodes stats:

https://github.com/elasticsearch/elasticsearch/blob/master/src/main/java/org/elasticsearch/rest/action/admin/cluster/node/stats/RestNodesStatsAction.java

The main action does not really have specific request/response classes.
You can try raising an issue or even submitting a pull request yourself,
but I do not see this issue as being very important. That is just my guess.

--
Ivan

On Thu, Dec 19, 2013 at 2:52 PM, Josh Harrison <hij...@gmail.com<javascript:>

wrote:

To clarify, when I go to http://localhost:9200, I want to get back

{
"ok" : true,
"status" : 200,
"name" : "Stem Cell",
"tagline" : "You Know, for Search"
}

Not

{
"ok" : true,
"status" : 200,
"name" : "Stem Cell",
"version" : {
"number" : "0.90.5",
"build_hash" : "c8714e8e0620b62638f660f6144831792b9dedee",
"build_timestamp" : "2013-09-17T13:09:46Z",
"build_snapshot" : false,
"lucene_version" : "4.4"
},
"tagline" : "You Know, for Search"
}

I poked around in the code and the only code place I fine "You Know, for
Search" is

https://github.com/elasticsearch/elasticsearch/blob/c20d4bb69ed29cf11a747f0fdc40ce4237f79ce4/src/main/java/org/elasticsearch/rest/action/main/RestMainAction.java
There doesn't appear to be an explicit flag that would allow me to
suppress that, but perhaps that's somewhere else? My IT folks are in a
tizzy that version information is being displayed, saying it's a major
security risk. Sigh.
Honestly, if it doesn't break something else, I wouldn't mind if there
was just a way to turn off that default response entirely. That'd do it too.

On Thursday, December 19, 2013 12:50:29 PM UTC-8, Ivan Brusic wrote:

From what I can tell from the code, it appears that you can disable
returning the version field.

--
Ivan

On Thu, Dec 19, 2013 at 12:27 PM, Josh Harrison hij...@gmail.comwrote:

The subject says it all pretty much, is it possible to turn off the
reporting of version data in response to GET http://localhost:9200?
Thanks,
Josh

--
You received this message because you are subscribed to the Google
Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to elasticsearc...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/
msgid/elasticsearch/7962249a-610f-4ee6-9496-a1cf14df8d95%
40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearc...@googlegroups.com <javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/dbd5cd20-6b39-46f8-bab8-b6c37de21c26%40googlegroups.com
.

For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/1cd01174-f23c-4edd-854f-31a5975e01f4%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.


(Jörg Prante) #6

Can you explain why showing the prompt is a problem?

Maybe it helps us to understand if it is a common use case and a patch for
the codebase would be appropriate.

As for the proxy, it is recommended to not expose ES to HTTP frontend
access, so a proxy is the best method I know. ES can be well hidden in a
private network like 10.0.0.0 or 192.168.0.0 - also there are a few
dangerous commands, and HTTP methods like DELETE to take care of. These are
open by default for maximum convenience, for admins with curl at hand, and
must be protected against malevolent access, if you set up ES in a hostile
environment.

Jörg

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAKdsXoF7QgrQRv83GA%2B8yXYtnuHbLF2uj%3Dk%2BN_5t1%3DNRXYH0bA%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.


(Josh Harrison) #7

They're worried that giving the exact version info of both ES and Lucene makes it easier should a threat already internally on the network attempt to compromise the system. At least I think that's the concern.
On Dec 20, 2013, at 12:16 AM, "joergprante@gmail.com" joergprante@gmail.com wrote:

Can you explain why showing the prompt is a problem?

Maybe it helps us to understand if it is a common use case and a patch for the codebase would be appropriate.

As for the proxy, it is recommended to not expose ES to HTTP frontend access, so a proxy is the best method I know. ES can be well hidden in a private network like 10.0.0.0 or 192.168.0.0 - also there are a few dangerous commands, and HTTP methods like DELETE to take care of. These are open by default for maximum convenience, for admins with curl at hand, and must be protected against malevolent access, if you set up ES in a hostile environment.

Jörg

--
You received this message because you are subscribed to a topic in the Google Groups "elasticsearch" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/elasticsearch/-uw4DDKM-3A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAKdsXoF7QgrQRv83GA%2B8yXYtnuHbLF2uj%3Dk%2BN_5t1%3DNRXYH0bA%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/ECA81518-4C39-44D7-929E-3D8ECC699FA4%40gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.


(Jörg Prante) #8

I understand. There are many methods of compromising a system. For example,
blast random loads of bytes to open ports, until the process on the server
dies. Or syn floods. DoS attacks are possible, as long as a port is open,
like 9200. But there is also 9300.

There are firewalls or other network setups that can protect backend apps
from intruders and DoS attacks.

As said, just hide all ES nodes from public network access, or ramp up
firewalls settings. Changing the ES environment is the primary solution. Do
not fight symptoms, fight the cause.

Jörg

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAKdsXoEP0w4Dj7Q0OKYj8td3UFvisS00fGJx293kgCbBEbYjLA%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.


(system) #9