Setting Up a Secured Elasticsearch
It is the time in the world were information and data is more valuable than even life. Data now fuels everything about our daily lives. Both the ones we consume and the ones we create. From a simple Facebook, to a one hour Youtube video. A purchase on Konga shopping mall to subscription to a Telecom VAS Service. But companies need to collate all these data to make sense of them and provide more effective and better services to the customers and subscribers based on the information that was collected hitherto.
How this data is analyzed is not the major topic in this article. But looking at one of the world most popular tools for searching and analyzing data. Which is popularly known as Elasticsearch. Elasticsearch is actually made of a stack called the ELK (Elasticsearch, Logtash and Kibana) stack. These three tools both together are a powerful changer in the current data explosion. With data being more schema-less tools like Elasticsearch are a must use in terms of storage and analysis. DocumentDB is the format of the future of data storage because of its flexibility and ease of analysis than the previous relational method of data storage, which is the format in which Elasticsearch stores its data.
Elasticsearch is a search engine based on Lucene. It provides a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents. Elasticsearch is developed in Java and is released as open source under the terms of the Apache License. Elasticsearch is the most popular enterprise search engine followed by Apache Solr, also based on Lucene [“DB-Engines Ranking — popularity ranking of search engines”. db-engines.com. Retrieved 10 January2016].
Due to the fact that Elasticsearch is HTTP based, Elasticsearch by default is not secured. Data in Elasticsearch is queried by sending HTTP GET requests to retrieve data and basically perform all operations. Which exposes it to all sorts of attack and make data on it unsafe. With data being the gold mine of this century it is pertinent that companies secure their data on Elasticsearch and restrict unauthorized access to the data.
By default Elasticsearch runs on port 9200. So anyone can actually send HTTP requests to a server running Elasticsearch and get results. But there are ways this can be minimized or eradicated.
There are four (4) different ways Elasticsearch endpoint can be secured.
- Elasticsearch Shield
- Default Port Change
- Software Load Balancing
- API Gateway
- IP Tables/Firewall
Elasticsearch Shield: A basic search on security on Elasticsearch actually pops this out as the result. It is a plugin in Elasticsearch that enables HTTP Basic Authentication on the Elasticsearch endpoint. This helps to reduce direct access to the Elasticsearch endpoint, and eventually requires authorization. But is needed once. Subsequent HTTP Requests do not really need it. Also shield is not free. With license and subscription for it to be fully used. But a month trial is allowed on the plugin.
Check Here: https://www.elastic.co/products/shield
Default Port Change: Potential hackers use one of the basic point of call which is exploiting default ports of technologies. When a telnet response is received by a potential attacker, on a certain port. The attacker is bound to start injecting queries based on that port. Changing the default port of your elasticsearch endpoint to something very different like 5232 or something else will help reduce the potential of an attacker trying to gain unauthorized access. This can be done on the elasticsearch.yml configuration file for elastic search http.port variable in the file, which defaults to 9200 for http requests.
More information here:
https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-http.html
Software Load Balancing: A brother to reverse proxy and a good request handler. Apart from a load balancer being a useful tool to server traffic across servers it can also be used as a security feature. Closer to the method mentioned above, you could actually allow access to the Elasticsearch instance by configuring a separate entry point on the load balancer. This also like the first example reduce the possibility of the attacker knowing what port to access the Elasticsearch instance on. Direct connection to backend servers (Elasticsearch Instance/Endpoint) are also prevented, for network security reasons. Firewall rules can be configured to decide whether the traffic may pass through or not. Load balancers such as HAProxy, Nginx or AWS Load balancers can be used to implement this.
API Gateway: With the rise of web services on the internet, REST services most especially, due to their ease of development, deployment and consumption. API gateway services now exist to help barricade un-authorized access to the REST services. API gateway are language and operating system independent. The REST API services could be build in Golang and an API gateway is configured on it to accepts requests before actually forwarding the requests to the back REST API service. This API gateway come with lots of features, with security being one of the major features. From Basic HTTP Authentication, to Header Parameters validation, OAuth authorization and much much more. Elasticsearch being accessed over HTTP bring it to this list too. Your Elasticsearch can be configured as the backend to an API gateway and all securities can be implemented on the API gateway end. Features like throughput can also be set to allow certain number of API calls on the endpoint. Also securing access on the API gateway will ensure all API requests/calls go through this secured gateway before eventually getting to the Elasticsearch endpoint. An example of an API gateway service is that can be used is akana, tyk, kong, or Amazon API Gateway.
IP Tables/Firewall: And on the operating system later. Firewall configuration can be set to allow external access to the Elasticsearch port. Whether you change the default configuration or you use the default configuration, you can disable external access on the machine where you have the Elasticsearch installed. The IP Address that can access it too can be whitelist/blacklisted. This restricts access on the Operating system later before getting access.
Check this: www.cyberciti.biz/faq/iptables-block-port/ — Linux
http://www.thewindowsclub.com/block-open-port-windows-8-firewall — Windows
You are also allowed to extend any of these for higher security like installing SSL to help encrypt transfer of data across the internet
Have any more ideas? Please share on the comments below
