Ransom attack on Elasticsearch cluster?

There are also free security solutions like https://github.com/sscarduzio/elasticsearch-readonlyrest-plugin or https://github.com/floragunncom/search-guard

Having security optional is the worst thing elastic managers came up with.

We've been driven away and have moved our largest installation back to MongoDB, where it was months ago before we moved to elastic. Luckily its all plug and play, so that one was a matter of hours. The other products will follow up.

I suggest you reconsider the x-pack licensing asap.

1 Like

nkoothrappahli You are correct and thanks for linking these here in case others google for this issue.

I still hope Elastic can rethink their licensing approach and what parts of their X-Pack product they consider to be something you need to pay for. Especially since it's difficult to argue that adding basic auth is such a tremendous feat of engineering.

Alright, I have a huge cluster with billions of documents. It scares me to death every time I see post like this which unfortunately the number of blogs and reports are growing recently.

The simplest way is to have cluster in private IP behind reverse_proxy such as Nginx with a simple authentication. Only expose the Nginx to public and disable DELETE or even PUT/POST over your selected endpoints/users. Even install a simple fail2ban on the machine to ban IP addresses that try to brute force your simple authentication. (this comes integrated with Nginx)

Is this so hard to do or this is not good enough that's why nobody even bothers to do it?

I get the criticism over x-pack that the Security should be shipped with Elastic Stack. Maybe they do this in the future. Or maybe they won't, but by no means this justifies thousands of MongoDB and Elasticsearch being exposed publicly with the same ports!

My 2 cents, use Nginx! It is simple, tons of snippets out there to get you up and running if you've never done reverse proxy. Besides, it is very useful and light weight.

May the force be with our Elastic Stack!


I used to have an open Elasticsearch instance on the net for anyone to read
(microinstance.com, long gone). All I had in front was a simple Node proxy
to prevent anything but GETs (https://github.com/lukas-vlcek/node.es) Fun
times. I cannot believe however that others have unintentionally exposed

The lack of security was always a big point of contention on the mailing
list years ago. There are other security alternatives out there. Besides
the cost of x-pack, I still cannot get over how terrible of a name it is. :slight_smile:


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.