Elasticsearch X-Pack Basic Security is Off



Elasticsearch X-Pack Basic Security is Off

Opster Team

July 2020, Version: 1.7-7.9


Before you begin reading the explanation below, try running the free Elasticsearch Health Check-Up get actionable recommendations that can improve Elasticsearch performance and prevent serious incidents. Just 2 minutes to complete and you can check threadpools, memory, snapshots and many more.

What it means

The growing popularity of Elasticsearch has made both Elasticsearch and Kibana targets for hackers and ransomware, so it is important never to leave your Elasticsearch cluster unprotected.

From Elasticsearch Version 6.8 and onwards,  X Pack Basic License (free) includes security in the standard Elasticsearch version, while prior to that it was a paid for feature.

How to resolve it

Bear in mind that the following steps will inevitably require some cluster down time. If your cluster is already in production, it is advisable to carry out the following on a staging environment first to ensure that you familiarise yourself with all the steps involved before causing down-time in production.

Enable security

In elasticsearch.yml:

xpack.security.enabled:true

Do not restart your node yet, until you have followed the following steps.

Create and install TLS Certificates on all nodes

Note that the certificates must be inside your elasticsearch configuration directory, with permissions set to allow the elasticsearch user to read the files.

Optionally, you can use different certificates for transport and http, but usually it is sufficient to use the same certificates for both purposes.

It is usually preferable to use self-signed certificates with relatively long expiry dates rather than lets encrypt or similar, in order to avoid the complexities of restarting your nodes every time the certificates renew.  

You can create certificates for your nodes using the certutil tool available inside each elasticsearch node as described here: elasticsearch-certutil | Elasticsearch Reference [7.9]

Include TLS paths in your Elasticsearch config files

Modify elasticsearch.yml:

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.key: certs/instance/instance.key
#xpack.security.transport.ssl.key_passphrase: mypassphrase
xpack.security.transport.ssl.certificate: certs/instance/instance.crt
xpack.security.transport.ssl.certificate_authorities: [ "certs/ca.crt" ]
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: certs/instance/instance.key
#xpack.security.http.ssl.key_passphrase: mypassphrase
xpack.security.http.ssl.certificate: certs/instance/instance.crt
xpack.security.http.ssl.certificate_authorities: [ "certs/ca.crt" ]

Restart your nodes

Be prepared for some down time while you restart all your nodes. Even if you get your  configuration right first time, then there will be some down time while you restart all the nodes, set-up the passwords for the first time, and finally update all of your client applications with the new configurations.

Check your logs on the Elasticsearch nodes to pick up any configuration errors or permissions issues.

Set up passwords 

Run the following command from /usr/share/elasticsearch directory:

bin/elasticsearch-setup-passwords interactive

Implement HTTPS on all of your Elasticsearch client applications

Once you have implemented HTTPS on your cluster, you will have to update the configurations on all of your client applications.  Typically this will involve changing http to https, adding user and password and a path to the CA authority certificate that was used to sign your elasticsearch certificates installed on your cluster.

Protect your Elasticsearch and Kibana ports from unauthorised users

It is also recommended to restrict access to Elasticsearch and Kibana ports (9200-9300 and 5601) using your firewall. If this is not possible then consider using some sort of software protection to rate limit access to users with password failures eg. Fail2Ban.

Enabling security without TLS

If you have a single node cluster which listens on loopback interface (localhost) then you can enable security without setting up https. In that case all that is necessary is:

In elasticsearch.yml:

xpack.security.enabled:true

Run the following command from /usr/share/elasticsearch directory:

bin/elasticsearch-setup-passwords interactive

However note that this only provides a minimum deterrent, and does not provide production-grade security.





Improve ES Configuration

Try The Tool