Recently I spun up a box on a cloud hosting provider planning to make a tens of thousdands of queries to an Elasticsearch instance on the same box. I could have done this on my own machine, but didn’t want to take up compute resources.
I installed R and Elasticsearch on the box, then went about doing my thang.
A day later when things were still running, the hosting provider sent me a message that apparently my box had been serving up a DDoS attack.
This was incredibly surprising, as I don’t even know how to do such a thing.
After some digging it seems that the culprit was likely Elasticsearch, as a number of tutorials/blog posts state that Elaticsearch is insecure by default, so if it’s exposed on a public port, someone can hack in. I had only used Elasticsearch locally on my own machine, so I hadn’t thought about security. Here’s a few resources for security help:
- DigitalOcean tutorial no. 1
- DigitalOcean tutorial no. 2
- Blog post on securing ES
- SO answer on securing ES
Trying to narrow down the various pieces of advice for securing Elasticsearch, here’s a list:
- Use
iptables
(or rather nftables?) to firewall the box - Whitelist certain trusted IPs
- Use the
elasticsearch-http-basic
plugin, adds basic username/pwd login - Remove public access: use
network.bind_host: localhost
andscript.disable_dynamic: true
in theelasticsearch.yml
config file from
Elasticsearch provides a new feature for security that’s built into Elasticsearch, Shield, but I believe it’s only available to enterprise customers. Boo.