Select your space You can change your space at anytime{ No spaces match search criteria }

ClubberLang · July 29, 2020, 11:15am

Oups, hacked again ! Basic auth does not help

joshbressers · July 29, 2020, 2:32pm

Basic auth should stop this attack. Can you make sure all Elasticsearch instances in your cluster have basic auth enabled. You can verify this with curl

$ curl https://hostname:9200
{"error":{"root_cause":[{"type":"security_exception","reason":"action [cluster:monitor/main] requires authentication","header":{"WWW-Authenticate":["Bearer realm="security"","ApiKey","Basic realm="security" charset="UTF-8""]}}],"type":"security_exception","reason":"action [cluster:monitor/main] requires authentication","header":{"WWW-Authenticate":["Bearer realm="security"","ApiKey","Basic realm="security" charset="UTF-8""]}},"status":401}

vs

$ curl http://localhost:9200
{
"name" : "xxxx",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "wVHOW5HASIGrYr8HwLGKSA",
"version" : {
"number" : "7.8.0",
"build_flavor" : "default",
"build_type" : "tar",
"build_hash" : "757314695644ea9a1dc2fecd26d1a43856725e65",
"build_date" : "2020-06-14T19:35:50.234439Z",
"build_snapshot" : false,
"lucene_version" : "8.5.1",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}

Thanks in advance

ClubberLang · July 29, 2020, 3:25pm

Thanks,

Some facts about my setup:

Elastic is running inside a docker container
I have only one instance
The docker container has only one 'docker network', and this network is not exposed outside.

It means that (at least from my knowledege), the docker container "should'nt" be accessible from the outside, right ?

But so, once I'm logged (via ssh), I can run a docker command to execute Curl, and I got:
{
"name" : "es01",
"cluster_name" : "docker-cluster-es01",
"cluster_uuid" : "mLEVxGLGRTu6JH-AAZGw5w",
"version" : {
"number" : "7.8.0",
"build_flavor" : "default",
"build_type" : "docker",
"build_hash" : "757314695644ea9a1dc2fecd26d1a43856725e65",
"build_date" : "2020-06-14T19:35:50.234439Z",
"build_snapshot" : false,
"lucene_version" : "8.5.1",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}

So, it seems it is not protected at all! I use the following docker compose:

version: '3.3'
services:
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.8.0
    environment:
      ELASTIC_PASSWORD: CHANGE_MY_PASS
      ES_JAVA_OPTS: -Xms1024m -Xmx1024m
      bootstrap.memory_lock: 'true'
      cluster.name: docker-cluster-es01
      discovery.type: single-node
      http.host: 0.0.0.0
      network.host: 0.0.0.0
      node.name: es01
      transport.host: 127.0.0.1
      xpack.security.enabled: 'false'
    ports:
     - 9200:9200
     - 9300:9300
    volumes:
     - /data/elastic/data:/usr/share/elasticsearch/data
    networks:
     - socloze-net
    logging:
      driver: json-file

I use 'ELASTIC_PASSWORD', I also have this xpack.security.enabled: 'false', otherwise I have a message such "You have a basic licence, we deactivate the security" !

So, it mean that:

My system is compromise, they can enter inside!
My Elastic is not correctly secured, ELASTIC_PASSWORD do nothing !

Right ? Any idea to solve this ?

Thanks

charan_syba · July 29, 2020, 3:38pm

Hi @joshbressers,
Can you suggest how can we enable Basic auth for elasticsearch service ?

My curl command gives the below result :
curl -X GET "localhost:9200"
{
"name" : "something",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "id",
"version" : {
"number" : "7.8.0",
"build_flavor" : "default",
"build_type" : "rpm",
"build_hash" : "757314695644ea9a1dc2fecd26d1a43856725e65",
"build_date" : "2020-06-14T19:35:50.234439Z",
"build_snapshot" : false,
"lucene_version" : "8.5.1",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}

joshbressers · July 29, 2020, 6:09pm

If you're running in containers, this page has nice instructions
https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-tls-docker.html

If you need to enable authentication outside of containers this blog covers things

Good luck!

charan_syba · July 30, 2020, 4:46am

Thank you @joshbressers

charan_syba · July 30, 2020, 4:48am

Hi,
Yesterday noon I have created some indexes and dashboards, they are still working fine and there is no data vanishing till now.
Can anyone please confirm the same ?

nitin.smartech · July 30, 2020, 7:42am

Hi @charan_syba we have setup xpack security steps same as @joshbressers has provided!
it has been two days now! it's safe now! and there is no any other activities on our server

Thanks @ClubberLang it's meow issue i think on our server!

charan_syba · August 13, 2020, 2:04pm

Hi
Can anyone tell me, how to feed data to the kibana from readymade REST api which is having data in json format ?

system · September 10, 2020, 2:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.