Elasticsearch credentials not needed to log in to server, so anyone can access

Keywords: Elasticsearch - Google Cloud Platform - Technical issue - Credentials
I have two virtual machines both running Elasticsearch. The first runs 6.3.1-0 and in the “Application Info” panel has “Credentials” (username and password) needed to connect to Elasticsearch. Without those I can’t connect (which is as it should be).

The second runs version 7.9.1-0, and also has a panel labelled “Credentials”, but I don’t need these to connect to the server. Hence it is open to anyone and can (and has) been hit by “meow” attacks.

I’m puzzled by this change in behaviour, and why the credentials Bitnami shows are not actually needed. Why make the server instantly vulnerable to a well known attack?

Hello @rdmpage,

Elasticsearch is not remotely accessible by default, as you can see in our documentation:

Previous versions included an Apache webserver with basic authentication. In order to add Apache basic authentication, you could follow this guide:

I hope it helps

1 Like

@davidg Thanks for the speedy response, I think this is what threw me, the disappearance of the basic authentication that existed in earlier releases. Hence the panel labelled “Credentials” now no longer applies (i.e, the username and password are meaningless). I should have realised this when I discovered I could talk directly to Elasticsearch on port 9200 without entering a username and password, but as it stands it’s a little misleading to still show a Credentials panel.

Anyway, I followed the instructions in the link to add Apache to my virtual machine, closed access to port 9200 in the Google Console, opened port 80, and now everything works.

Thanks for your help!

Hi @rdmpage,

Thanks for your feedback. I will sync with the team in case we can make it clearer.

I’m glad you managed it to work.


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.