Oups, hacked again ! Basic auth does not help
Hi @ClubberLang,
Basic auth should stop this attack. Can you make sure all Elasticsearch instances in your cluster have basic auth enabled. You can verify this with curl
$ curl https://hostname:9200
{"error":{"root_cause":[{"type":"security_exception","reason":"action [cluster:monitor/main] requires authentication","header":{"WWW-Authenticate":["Bearer realm="security"","ApiKey","Basic realm="security" charset="UTF-8""]}}],"type":"security_exception","reason":"action [cluster:monitor/main] requires authentication","header":{"WWW-Authenticate":["Bearer realm="security"","ApiKey","Basic realm="security" charset="UTF-8""]}},"status":401}
vs
$ curl http://localhost:9200
{
"name" : "xxxx",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "wVHOW5HASIGrYr8HwLGKSA",
"version" : {
"number" : "7.8.0",
"build_flavor" : "default",
"build_type" : "tar",
"build_hash" : "757314695644ea9a1dc2fecd26d1a43856725e65",
"build_date" : "2020-06-14T19:35:50.234439Z",
"build_snapshot" : false,
"lucene_version" : "8.5.1",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
Thanks in advance
Thanks,
Some facts about my setup:
- Elastic is running inside a docker container
- I have only one instance
- The docker container has only one 'docker network', and this network is not exposed outside.
It means that (at least from my knowledege), the docker container "should'nt" be accessible from the outside, right ?
But so, once I'm logged (via ssh), I can run a docker command to execute Curl, and I got:
{
"name" : "es01",
"cluster_name" : "docker-cluster-es01",
"cluster_uuid" : "mLEVxGLGRTu6JH-AAZGw5w",
"version" : {
"number" : "7.8.0",
"build_flavor" : "default",
"build_type" : "docker",
"build_hash" : "757314695644ea9a1dc2fecd26d1a43856725e65",
"build_date" : "2020-06-14T19:35:50.234439Z",
"build_snapshot" : false,
"lucene_version" : "8.5.1",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
So, it seems it is not protected at all! I use the following docker compose:
version: '3.3'
services:
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:7.8.0
environment:
ELASTIC_PASSWORD: CHANGE_MY_PASS
ES_JAVA_OPTS: -Xms1024m -Xmx1024m
bootstrap.memory_lock: 'true'
cluster.name: docker-cluster-es01
discovery.type: single-node
http.host: 0.0.0.0
network.host: 0.0.0.0
node.name: es01
transport.host: 127.0.0.1
xpack.security.enabled: 'false'
ports:
- 9200:9200
- 9300:9300
volumes:
- /data/elastic/data:/usr/share/elasticsearch/data
networks:
- socloze-net
logging:
driver: json-file
I use 'ELASTIC_PASSWORD', I also have this xpack.security.enabled: 'false', otherwise I have a message such "You have a basic licence, we deactivate the security" !
So, it mean that:
- My system is compromise, they can enter inside!
- My Elastic is not correctly secured, ELASTIC_PASSWORD do nothing !
Right ? Any idea to solve this ?
Thanks
Hi @joshbressers,
Can you suggest how can we enable Basic auth for elasticsearch service ?
My curl command gives the below result :
curl -X GET "localhost:9200"
{
"name" : "something",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "id",
"version" : {
"number" : "7.8.0",
"build_flavor" : "default",
"build_type" : "rpm",
"build_hash" : "757314695644ea9a1dc2fecd26d1a43856725e65",
"build_date" : "2020-06-14T19:35:50.234439Z",
"build_snapshot" : false,
"lucene_version" : "8.5.1",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
If you're running in containers, this page has nice instructions
https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-tls-docker.html
If you need to enable authentication outside of containers this blog covers things
Good luck!
Thank you @joshbressers
Hi,
Yesterday noon I have created some indexes and dashboards, they are still working fine and there is no data vanishing till now.
Can anyone please confirm the same ?
Hi @charan_syba we have setup xpack security steps same as @joshbressers has provided!
it has been two days now! it's safe now! and there is no any other activities on our server
Thanks @ClubberLang it's meow issue i think on our server!
Hi
Can anyone tell me, how to feed data to the kibana from readymade REST api which is having data in json format ?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.