Overview
The growing popularity of Elasticsearch has made both Elasticsearch and Kibana targets for hackers and ransomware, so it is important never to leave your Elasticsearch cluster unprotected.
From Elasticsearch Version 6.8 and onwards, X Pack Basic License (free) includes security in the standard Elasticsearch version, while prior to that it was a paid for feature.
How to resolve it
Bear in mind that the following steps will inevitably require some cluster down time. If your cluster is already in production, it is advisable to carry out the following on a staging environment first to ensure that you familiarise yourself with all the steps involved before causing down-time in production.
Enable security
xpack.security.enabled:true
Do not restart your node yet, until you have followed the following steps.
Create and install TLS certificates on all nodes
Note that the certificates must be inside your elasticsearch configuration directory, with permissions set to allow the elasticsearch user to read the files.
Optionally, you can use different certificates for transport and http, but usually it is sufficient to use the same certificates for both purposes.
It is usually preferable to use self-signed certificates with relatively long expiry dates rather than lets encrypt or similar, in order to avoid the complexities of restarting your nodes every time the certificates renew.
You can create certificates for your nodes using the certutil tool available inside each elasticsearch node as described here: elasticsearch-certutil | Elasticsearch Reference [7.9]
Include TLS paths in your Elasticsearch config files
Modify elasticsearch.yml:
xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.key: certs/instance/instance.key #xpack.security.transport.ssl.key_passphrase: mypassphrase xpack.security.transport.ssl.certificate: certs/instance/instance.crt xpack.security.transport.ssl.certificate_authorities: [ "certs/ca.crt" ] xpack.security.http.ssl.enabled: true xpack.security.http.ssl.key: certs/instance/instance.key #xpack.security.http.ssl.key_passphrase: mypassphrase xpack.security.http.ssl.certificate: certs/instance/instance.crt xpack.security.http.ssl.certificate_authorities: [ "certs/ca.crt" ]
Restart your nodes
Be prepared for some down time while you restart all your nodes. Even if you get your configuration right first time, then there will be some down time while you restart all the nodes, set-up the passwords for the first time, and finally update all of your client applications with the new configurations.
Check your logs on the Elasticsearch nodes to pick up any configuration errors or permissions issues.
Set up passwords
Run the following command from /usr/share/elasticsearch directory:
bin/elasticsearch-setup-passwords interactive
Implement HTTPS on all of your Elasticsearch client applications
Once you have implemented HTTPS on your cluster, you will have to update the configurations on all of your client applications. Typically this will involve changing http to https, adding user and password and a path to the CA authority certificate that was used to sign your elasticsearch certificates installed on your cluster.
Protect your Elasticsearch and Kibana ports from unauthorised users
It is also recommended to restrict access to Elasticsearch and Kibana ports (9200-9300 and 5601) using your firewall. If this is not possible then consider using some sort of software protection to rate limit access to users with password failures eg. Fail2Ban.
Enabling security without TLS
If you have a single node cluster which listens on loopback interface (localhost) then you can enable security without setting up https. In that case all that is necessary is:
In elasticsearch.yml:
xpack.security.enabled:true
Run the following command from /usr/share/elasticsearch directory:
bin/elasticsearch-setup-passwords interactive
However note that this only provides a minimum deterrent, and does not provide production-grade security.
