ElasticSearch Security Advisory

Slavik

XenForo moderator
Staff member
I was informed earlier today about a potential security problem relating to the ElasticSearch service. In very specific cases its appears (but are still investigating) that an attacker has gained access to a users server via an ElasticSearch service that is listening on a public IP address.

The fix is simple, just ensure that the service only listening for localhost connections.


Open up your *ESdirectory*/config/elasticsearch.yml and edit

Code:
# network.host: 192.168.0.1

to

Code:
network.host: 127.0.0.1

and

Code:
# http.port: 9200

to

Code:
http.port: 9200


Additionally some IPTables rules can add an additional layer of security, generally if your IPTables rule set includes iptables -P INPUT DROP, and you haven't opened your ElasticSearch port publicly via IPTables, likewise you should be safe. These specific rules can be added if required (alter the port if you have ElasticSearch bound to a different port obviously).

Code:
iptables -A INPUT -p tcp -s localhost --dport 9200 -j ACCEPT
iptables -A INPUT -p tcp --dport 9200 -j DROP


Anyone who has had ElasticSearch installed and configured by myself should have already had the network host set to 127.0.01 as part and parcel of the install process (I will of usually sent confirmation of my install settings including this one to you when the install was finished), however if you wish me to check for you, just drop me a conversation with your relevant details.
 
Last edited:
If I change network.host to 127.0.0.1. Will this set network.bind_host and network.publish_host to the same value (127.0.0.1) automatically?
Yes, you only need to uncomment network.host, you can leave the other 2 variables commented. I made those settings clear on AXIVO rpm /etc/elasticsearch/elasticsearch.yml, as some of them are pretty confusing:
Code:
# Network Host
# Sets both 'bind_host' and 'publish_host' settings.
# The default is any (0.0.0.0).
network.host: 127.0.0.1

# Network Bind Host
# Sets the bind address specifically (IPv4 or IPv6).
#network.bind_host: 127.0.0.1

# Network Published Host
# Sets the address other nodes will use to communicate with this node. If not
# set, it is automatically derived. It must point to an actual IP address.
#network.publish_host: 127.0.0.1
 
If you are doing clustering, there is the option: "transport.host"

This allows you to push the node-node traffic onto a private network (using "transport.host: _eth1:ipv4_") while allowing client queries on any interface or just localhost.
 
Top Bottom