Recently I spun up a box on a cloud hosting provider planning to make a tens of thousdands of queries to an Elasticsearch instance on the same box. I could have done this on my own machine, but didn’t want to take up compute resources.

I installed R and Elasticsearch on the box, then went about doing my thang.

A day later when things were still running, the hosting provider sent me a message that apparently my box had been serving up a DDoS attack.

This was incredibly surprising, as I don’t even know how to do such a thing.

After some digging it seems that the culprit was likely Elasticsearch, as a number of tutorials/blog posts state that Elaticsearch is insecure by default, so if it’s exposed on a public port, someone can hack in. I had only used Elasticsearch locally on my own machine, so I hadn’t thought about security. Here’s a few resources for security help:

Trying to narrow down the various pieces of advice for securing Elasticsearch, here’s a list:

  • Use iptables (or rather nftables?) to firewall the box
  • Whitelist certain trusted IPs
  • Use the elasticsearch-http-basic plugin, adds basic username/pwd login
  • Remove public access: use network.bind_host: localhost and script.disable_dynamic: true in the elasticsearch.yml config file from

Elasticsearch provides a new feature for security that’s built into Elasticsearch, Shield, but I believe it’s only available to enterprise customers. Boo.