PSA: check your ElasticSearch server port is not accessible to the outside world

Sim

Well-known member
Looks like @BIG LLC has been having a bit of a bad time over at BigFooty - https://www.bigfooty.com/forum/threads/data-breach-notice-bigfooty-search-index.1240365/

Data Breach Notice - BigFooty Forum Search Index​
What happened?​
Recently we learned of a security breach on BigFooty's search index which, due to a mis-configuration, was publicly accessible without restriction. This search index included content that may have been removed from public view on the forum, and other content where access was restricted. Access to the index was blocked as soon as we became aware of the issue on the 14th of May and commenced assessment of the breach. Whilst we now know that there was some unwanted interaction by unauthorised people, our investigation leads us to believe the whole index was not copied. To be safe, we have chosen to inform you as if it was.​
What kind of user data was affected?​
We stress that this was not the core forum database, just the search index.​
No account registration information like email and date of birth was involved.​
...​

Typical media doing a terrible job of reporting the facts: https://www.smh.com.au/politics/fed...s-of-up-to-100-000-users-20200529-p54xnz.html

A large data leak from an AFL fan website has exposed about 70 million records online, including private conversations between users, according to cyber security researchers.​
Aussie Rules forum Bigfooty.com has about 100,000 users – although it's not known how many were affected. The site has now started to contact users to notify them about the breach but the company believes no one downloaded the exposed data.​
...​

I don't think it was clearly explained in the article that it was just the search server which was open via a publicly accessible port - their site was not "hacked" in any way and their XenForo user database was not compromised.

Anyway - this should serve as a valuable lesson to all of us - check your ElasticSearch server to ensure that it's not accessible to the outside world!
 
If ElasticServer is running on the same machine as the web server, you simply have it bind to localhost so it can't be accessed externally at all - easy as.

I run my ElasticServer on a separate machine, but I use a local private IP network which can't be accessed from an external network - ES binds to the non-routable address and can only be accessed by other local servers directly connected to the same router.

I then also have a firewall rule to allow only requests to the ES port from my web servers on their private network addresses.

Should do the trick I believe.
 
If ElasticServer is running on the same machine as the web server, you simply have it bind to localhost so it can't be accessed externally at all - easy as.
+1

Though misconfiguring Elasticsearch would of opened it up if there wasn't a Firewall in place.
 
  • Like
Reactions: Sim
Do people not use firewalls anymore? The only ports on my server that are open is 80 & 443 and that's only to Cloudflare's IP Addresses, my SSH port is only unblocked temporarily for maintenance to my home IP Address. Why take chances?
 
Top Bottom