Administrators like to use Elasticsearch (What is Elasticsearch?) as a real-time data search and analysis tool. However lots of administrators forget to secure these nodes.
With a simple search on shodan, we can find the Elastic indices :
https://www.shodan.io/search?query=port:”9200″ product:”Elastic”
Confidential information can be accessed through these addresses, below is the syntax to use:
Here are some basic recommendations for securing your nodes :
- Only allow direct access to known IP addresses (Source to destination)
- Add Authentication to Elastic Node (2FA all the way)
PoC
- Use this filter on shodan to search elastic node : port:”9200″ product:”Elastic”
- Check Elastic connection : http://IP:9200
- Executing Search : http://IP:9200/_search?pretty
This Node disclose some confidential information, we can use it to access to all accounts
Now we can use this information to access the Elastic backend
After contact the company has now secured their node.
For help security Elasticsearch watch the video on link below:
https://www.elastic.co/elasticon/conf/2016/sf/securing-elasticsearch
Also see Amazon Elasticsearch Service (Amazon ES) Developer Guide