On 04 juin 2014, at 05:38, 'Adolfo Rodriguez' via elasticsearch wrote: > here is some sample code on how to exploit the system for version <1.2.0, > port 9200 exposed to internet and flag setting script.disable_dynamic=false > as is by default > > http://bouk.co/blog/elasticsearch-rce/#how_to_secure_against_this_vulnerability
I've had a great deal of fun reading this. And I'm really concerned that in 2014 people are still developing products like ES with absolutely no security features. This blogger should have added a word of warning about running ES as root/admin, I'm pretty sure most developers are running ES with their admin account, or even with root. Use a dedicated user account for the ES process, with very limited permissions and powers. Always think about privilege separation before you install a new software. ES should really be quarantined. On FreeBSD, one can use a jail (very easy nowadays with ZFS and ezjail). I'm pretty sure similar things exist for Linux. If you have the guts, go with SELinux. Requires some work, but it's rewarding and it has some pretty dam' cool things inside. Patrick -- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/8C53A03A-BBB9-4450-86CF-562BC1E45CD1%40patpro.net. For more options, visit https://groups.google.com/d/optout.
