Hi - I went over the following article on securing elasticsearch:
I have a question on the specific point below:
1*. Don’t run Elasticsearch open to the public*
Elasticsearch is not designed to be a public facing service, it’s intended
to be used by your application via the API. By exposing Elasticsearch to
the world you run the risk of denial-of-service attacks if a malicious user
discovers your production Elasticsearch system. In addition, prior to the
1.2.x release an attacker can use dynamic scripting to perform arbitrary
code execution on the machine that Elasticsearch is hosted on if
Elasticsearch is open to the public.
Because of this, it is highly recommended that Elasticsearch be run from
behind a firewall, allowing only your development application or Kibana
servers to communicate with it. You should block both port 9200 as well as
port 9300 from all machines not part of your development environment.
Even if we secure the endpoint with SSL and Basic authentication using Jetty https://github.com/sonian/elasticsearch-jetty, is it still not fine to
expose Elasticsearch? How different is this from any service that is
publicly exposed? We have scenarios where we want to share Elasticsearch
cluster b/w multiple teams and securing elasticsearch behind Jetty seems
like the best option. Please advise.
Elasticsearch is not designed to be a public facing service, it’s
intended to be used by your application via the API. By exposing
Elasticsearch to the world you run the risk of denial-of-service attacks if
a malicious user discovers your production Elasticsearch system. In
addition, prior to the 1.2.x release an attacker can use dynamic scripting
to perform arbitrary code execution on the machine that Elasticsearch is
hosted on if Elasticsearch is open to the public.
Because of this, it is highly recommended that Elasticsearch be run from
behind a firewall, allowing only your development application or Kibana
servers to communicate with it. You should block both port 9200 as well as
port 9300 from all machines not part of your development environment.
Even if we secure the endpoint with SSL and Basic authentication using
Jetty https://github.com/sonian/elasticsearch-jetty, is it still not
fine to expose Elasticsearch? How different is this from any service that
is publicly exposed? We have scenarios where we want to share Elasticsearch
cluster b/w multiple teams and securing elasticsearch behind Jetty seems
like the best option. Please advise.
Thanks a lot. That means, plugins like Jetty (for Elasticsearch) have
limited or no use in real scenarios where we anyway need to hide the
elasticsearch port from the external world.
Regards,
Pradeep
On Monday, September 22, 2014 1:46:43 PM UTC-7, Jörg Prante wrote:
Exactly, even with SSL and Basic authentication on port 80/443, you still
must not expose port 9200/9300 to the public.
You should route all HTTP requests over port 80/443, where you can control
the traffic, for your teams sharing ES.
Jörg
On Mon, Sep 22, 2014 at 10:12 PM, Pradeep Narayan <pradee...@gmail.com
<javascript:>> wrote:
Hi - I went over the following article on securing elasticsearch:
Elasticsearch is not designed to be a public facing service, it’s
intended to be used by your application via the API. By exposing
Elasticsearch to the world you run the risk of denial-of-service attacks if
a malicious user discovers your production Elasticsearch system. In
addition, prior to the 1.2.x release an attacker can use dynamic scripting
to perform arbitrary code execution on the machine that Elasticsearch is
hosted on if Elasticsearch is open to the public.
Because of this, it is highly recommended that Elasticsearch be run from
behind a firewall, allowing only your development application or Kibana
servers to communicate with it. You should block both port 9200 as well as
port 9300 from all machines not part of your development environment.
Even if we secure the endpoint with SSL and Basic authentication using
Jetty https://github.com/sonian/elasticsearch-jetty, is it still not
fine to expose Elasticsearch? How different is this from any service that
is publicly exposed? We have scenarios where we want to share Elasticsearch
cluster b/w multiple teams and securing elasticsearch behind Jetty seems
like the best option. Please advise.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.