Some indexes have been deleted, now I see indexes called meow?

If you have seen a number of your indices recently "disappear", and then when checking your logs you see they have been deleted, and you can also see other log entries that mention the term meow, like this;

[t19hfzgnp7-meow] creating index, cause [api], templates , shards [5]/[1], mappings 

You are likely running a cluster that is exposed to the internet with no protection, and have been hit by the "meow attack".

Your immediate steps should be to upgrade to at least Elasticsearch 6.8.0 or 7.1.0, which includes free security functionality, containing;

  • TLS for encrypted communications
  • File and native realm for creating and managing users
  • Role-based access control for controlling user access to cluster APIs and indexes; also allows multi-tenancy for Kibana with security for Kibana Spaces

Setting Security up is very easy to do. The documentation covers it in detail, and there are blog posts (access control and TLS setup) about the process too.

2 Likes

Hi,

I have try to setup basic authentication, with user+password, but my Elastic is down again!

Elastic is also running in a docker container, and only accessible from the "internal" network, so it shouldn't be accessible outside!

I also checked my log and see this message:

kkdhh {"type": "server", "timestamp": "2020-07-27T10:26:15,593Z", "level": "INFO", "component": "o.e.l.LicenseService", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "license [bb6f69e3-456a-4cdc-8a2d-bf0c4e05ae22] mode [basic] - valid", "cluster.uuid": "gsJNPQLbQ4eAUvm32DA-Gg", "node.id": "lIx_pBquQbaTTBxY-pM8Zg" }

kkdhh {"type": "server", "timestamp": "2020-07-27T10:26:15,600Z", "level": "INFO", "component": "o.e.x.s.s.SecurityStatusChangeListener", "cluster.name": "docker-cluster-es01", "node.name": "es01", "message": "Active license is now [BASIC]; Security is disabled", "cluster.uuid": "gsJNPQLbQ4eAUvm32DA-Gg", "node.id": "lIx_pBquQbaTTBxY-pM8Zg" }

It's better if you continue your discussion in this thread - ElasticSearch is being attacked?

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.