elasticsearch index deleted

问题

I'm facing a serious problem with my elasticsearch server.

I'm using ES 1.7 on a symfony2 project with fosElasticaBundle.

The ES index has been deleted two times today, and I can't figure out why.

Here are the log I can read in my cluster.log:

[cluster.metadata] [server] [index] deleting index

[cluster.metadata] [server] [warning] deleting index

[cluster.metadata] [server] [please_read] creating index, cause [api], templates [], shards [5]/[1], mappings []

[cluster.metadata] [server] [please_read] update_mapping [info] (dynamic)

The thing is that my ES never faced such kind of issue in the past monthes while the website was on pre-prod.

Do you think this can comes from an attack ? Or an configuration error ?

回答1:

This is very likely coming from an attack. if you do a <Endpoint>/please_read/_search you will probably see a note like

     {
            "_index": "please_read",
            "_type": "info",
            "_id": "AVmZfnjEAQ_HIp2JODbw",
            "_score": 1.0,
            "_source": {
                "Info": "Your DB is Backed up at our servers, to restore send 0.5 BTC to the Bitcoin Address then send an email with your server ip",
                "Bitcoin Address": "12JNfaS2Gzic2vqzGMvDEo38MQSX1kDQrx",
                "Email": "elasticsearch@mail2tor.com"
            }

You should try to make your elasticsearch cluster installation more secure to avoid such downfalls.

There have also been reports of attacks on open to internet databases like mongo/elasticsearch eg. http://www.zdnet.com/article/first-came-mass-mongodb-ransacking-now-copycat-ransoms-hit-elasticsearch/

回答2:

I concur with @dejavu013, this is most likely database ransomware, I would advise securing your elasticsearch with the free and opensource https://github.com/floragunncom/search-guard, or premium solutions like Elastic's Shield, now part of the Elastic X-Pack or Compose's Hosted Elasticsearch.

回答3:

many elasticsearch clusters was attacked in the last week:

http://www.zdnet.com/article/first-came-mass-mongodb-ransacking-now-copycat-ransoms-hit-elasticsearch/

this is how you can secure it:

http://code972.com/blog/2017/01/107-dont-be-ransacked-securing-your-elasticsearch-cluster-properly

回答4:

This was indeed an attack as @dejavu013 said.

I started to secure my datas by allowing only localhost to access to my elasticseach datas.

To do so, I've edited my config file elasticseach.yml and added those two lines :

networt.host: 127.0.0.1
http.port: 9200

So only localhost can access to the datas and make requests.

来源：https://stackoverflow.com/questions/41639893/elasticsearch-index-deleted