Securing ElasticSearch Cluster

Hi - I went over the following article on securing elasticsearch:

I have a question on the specific point below:

1*. Don’t run Elasticsearch open to the public*

Elasticsearch is not designed to be a public facing service, it’s intended
to be used by your application via the API. By exposing Elasticsearch to
the world you run the risk of denial-of-service attacks if a malicious user
discovers your production Elasticsearch system. In addition, prior to the
1.2.x release an attacker can use dynamic scripting to perform arbitrary
code execution on the machine that Elasticsearch is hosted on if
Elasticsearch is open to the public.

Because of this, it is highly recommended that Elasticsearch be run from
behind a firewall, allowing only your development application or Kibana
servers to communicate with it. You should block both port 9200 as well as
port 9300 from all machines not part of your development environment.

Even if we secure the endpoint with SSL and Basic authentication using Jetty
https://github.com/sonian/elasticsearch-jetty, is it still not fine to
expose Elasticsearch? How different is this from any service that is
publicly exposed? We have scenarios where we want to share Elasticsearch
cluster b/w multiple teams and securing elasticsearch behind Jetty seems
like the best option. Please advise.

Regards,

Pradeep

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/9baa7ea2-cec0-4ea1-b31a-8b024e58f2ab%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Exactly, even with SSL and Basic authentication on port 80/443, you still
must not expose port 9200/9300 to the public.

You should route all HTTP requests over port 80/443, where you can control
the traffic, for your teams sharing ES.

Jörg

On Mon, Sep 22, 2014 at 10:12 PM, Pradeep Narayan pradeepnbhat@gmail.com
wrote:

Hi - I went over the following article on securing elasticsearch:

http://www.elasticsearch.org/blog/scripting-security/

I have a question on the specific point below:

1*. Don’t run Elasticsearch open to the public*

Elasticsearch is not designed to be a public facing service, it’s
intended to be used by your application via the API. By exposing
Elasticsearch to the world you run the risk of denial-of-service attacks if
a malicious user discovers your production Elasticsearch system. In
addition, prior to the 1.2.x release an attacker can use dynamic scripting
to perform arbitrary code execution on the machine that Elasticsearch is
hosted on if Elasticsearch is open to the public.

Because of this, it is highly recommended that Elasticsearch be run from
behind a firewall, allowing only your development application or Kibana
servers to communicate with it. You should block both port 9200 as well as
port 9300 from all machines not part of your development environment.

Even if we secure the endpoint with SSL and Basic authentication using
Jetty https://github.com/sonian/elasticsearch-jetty, is it still not
fine to expose Elasticsearch? How different is this from any service that
is publicly exposed? We have scenarios where we want to share Elasticsearch
cluster b/w multiple teams and securing elasticsearch behind Jetty seems
like the best option. Please advise.

Regards,

Pradeep

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/9baa7ea2-cec0-4ea1-b31a-8b024e58f2ab%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/9baa7ea2-cec0-4ea1-b31a-8b024e58f2ab%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAKdsXoHDsD1%2B0w_ueXjepVH3ST2yOgcA_E9XuQ9uQ%3DfPTUhQAA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Thanks a lot. That means, plugins like Jetty (for Elasticsearch) have
limited or no use in real scenarios where we anyway need to hide the
elasticsearch port from the external world.

Regards,
Pradeep

On Monday, September 22, 2014 1:46:43 PM UTC-7, Jörg Prante wrote:

Exactly, even with SSL and Basic authentication on port 80/443, you still
must not expose port 9200/9300 to the public.

You should route all HTTP requests over port 80/443, where you can control
the traffic, for your teams sharing ES.

Jörg

On Mon, Sep 22, 2014 at 10:12 PM, Pradeep Narayan <pradee...@gmail.com
<javascript:>> wrote:

Hi - I went over the following article on securing elasticsearch:

http://www.elasticsearch.org/blog/scripting-security/

I have a question on the specific point below:

1*. Don’t run Elasticsearch open to the public*

Elasticsearch is not designed to be a public facing service, it’s
intended to be used by your application via the API. By exposing
Elasticsearch to the world you run the risk of denial-of-service attacks if
a malicious user discovers your production Elasticsearch system. In
addition, prior to the 1.2.x release an attacker can use dynamic scripting
to perform arbitrary code execution on the machine that Elasticsearch is
hosted on if Elasticsearch is open to the public.

Because of this, it is highly recommended that Elasticsearch be run from
behind a firewall, allowing only your development application or Kibana
servers to communicate with it. You should block both port 9200 as well as
port 9300 from all machines not part of your development environment.

Even if we secure the endpoint with SSL and Basic authentication using
Jetty https://github.com/sonian/elasticsearch-jetty, is it still not
fine to expose Elasticsearch? How different is this from any service that
is publicly exposed? We have scenarios where we want to share Elasticsearch
cluster b/w multiple teams and securing elasticsearch behind Jetty seems
like the best option. Please advise.

Regards,

Pradeep

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearc...@googlegroups.com <javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/9baa7ea2-cec0-4ea1-b31a-8b024e58f2ab%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/9baa7ea2-cec0-4ea1-b31a-8b024e58f2ab%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/3a9a401d-b2af-4c70-b5e7-76417e0b1b6a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.