Hi - I went over the following article on securing elasticsearch: http://www.elasticsearch.org/blog/scripting-security/
I have a question on the specific point below: 1*. Don’t run Elasticsearch open to the public* *Elasticsearch is not designed to be a public facing service, it’s intended to be used by your application via the API. By exposing Elasticsearch to the world you run the risk of denial-of-service attacks if a malicious user discovers your production Elasticsearch system. In addition, prior to the 1.2.x release an attacker can use dynamic scripting to perform arbitrary code execution on the machine that Elasticsearch is hosted on if Elasticsearch is open to the public.* *Because of this, it is highly recommended that Elasticsearch be run from behind a firewall, allowing only your development application or Kibana servers to communicate with it. You should block both port 9200 as well as port 9300 from all machines not part of your development environment.* Even if we secure the endpoint with SSL and Basic authentication using Jetty <https://github.com/sonian/elasticsearch-jetty>, is it still not fine to expose Elasticsearch? How different is this from any service that is publicly exposed? We have scenarios where we want to share Elasticsearch cluster b/w multiple teams and securing elasticsearch behind Jetty seems like the best option. Please advise. Regards, Pradeep -- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/9baa7ea2-cec0-4ea1-b31a-8b024e58f2ab%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
