Today I found that all indices on our Test ES cluster was removed and one new index "warning" was created there.
And I found following text from the raw index data:
SEND 0.2 BTC TO THIS WALLET: 1DAsGY4Kt1a4LCTPMH5vm5PqX32eZmot4r IF YOU WANT RECOVER YOUR DATABASE! SEND TO THIS EMAIL YOUR SERVER IP AFTER SENDING THE BITCOINS...
It is a testing cluster for practicing and learning, so we simply allow internet access to endpoint.
We will definitely consider security on PROD cluster.
If the cluster is open to the internet and not secured in any way, you can simply read/modify/delete the data through the REST interface. No need for scripts of any kind.
It's a shame that Elastic thinks data security is optional and doesn't include security modules as part of the default bundle. I understand that as an commercial entity, they have to generate revenue and shield is one of them. But most free to use products do not consider security as such. Before anyone says, stop cribbing, it's a free product, blah, blah and pay for it already, I will shut up
# License [will expire] on [Friday, December 30, 2016]. If you have a new license, please update it.
# Otherwise, please reach out to your support contact.
#
# Commercial plugins operate with reduced functionality on license expiration:
# - security
# -- Cluster health, cluster stats and indices stats operations are blocked
# -- All data operations (read and write) continue to work
# - watcher
# -- PUT / GET watch APIs are disabled, DELETE watch API continues to work
# -- Watches execute and write to the history
# -- The actions of the watches don't execute
# - monitoring
# -- The agent will stop collecting cluster and indices metrics
# -- The agent will stop automatically cleaning indices older than [xpack.monitoring.history.duration]
# - graph
# -- Graph explore APIs are disabled
Notice the indentation underneath "- security"? (I added two dashes because the post formatter eats the extra space)
This indentation means "security" is listed as a category of items to be listed underneath. The two items ("Cluster health, cluster stats and indices stats operations are blocked", "All data operations (read and write) continue to work") do NOT adequately transport the message that this main feature of X-Pack is actually not working anymore.
Here's how you fix this: Either
a) Put up a big notice that makes it absolutely clear that authentication is not included in the free basic license, or
b) Consider adding auth to the free license tier. It is not something you can reasonably expect to charge money for. It is easily achieved via other means, so why not aim for robustness instead and offer everyone the benefits of a basic functionality like this. You may think it's a smart business idea, but to people outside your company it just looks like a cash grab.
We've been hit by this as well, but our data was easily reindexed. However, this just makes ES look immature. This would be an awesome time to turn this into a PR advantage, and react by adding auth support to either the free x-pack license, or even just include it in the main program.
Setup firewall rules to only allow traffic from trusted IP addresses.
Tunnel via SSH
...?
I don't see how anyone could miss that ES doesn't authenticate requests by itself. If you've put an ES endpoint on the public internet you only have yourself to blame when someone else accesses it.
I'm suspicious of your conclusion that licence expiry disables all authentication. It certainly doesn't seem to here, but I'm a little outdated in versions.
dmjcgreal: Indeed, anyone putting up an ES instance without authentication on a public IP has to face the risk of someone else deleting stuff from it.
But do go ahead and try the latest version, install X-Pack (auth will work then), then install a basic license. You will have to acknowledge but it is easy to miss.
Thankfully, several solutions exist: There's an open source plugin for authentication which does not cost money, and you can also use nginx or haproxy to add basic auth to an ES instance. In general it's safest to not expose ES at all if you can help it.
And again, while there is a page buried somewhere that lists authentication as a paid feature, I would be helpful to include this information in the documentation as well - because that's the page you get if you google ES auth.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.