70c78388 naked david

The naked cloud: elasticsearch is stretch but doesn’t cover security

Similar to the previous post, there are a lot of infrastructural components that support today’s modern fancy application stacks. One of them, Elasticsearch, is the example used in this post. Its a simple schema-less database that allows you to scale in and out, drop stuff in, and query later. Add a blob and some keys and away you go, unpestered by things like security or scale or failure modes.

So, once again, using everyone’s favourite search engine Shodan.io, lets snoop around on information which is already public. We find http://111.231.223.122:9200/, used by Tencent cloud computing. It has 36GB indexed in its 3 nodes. If we look at its API, we see that it (thinks it) is using all private IP (RFC 1918) space.

$ curl http://111.231.223.122:9200/_nodes/_local | python -mjson.tool
...

"host": "10.244.2.0",
"http": {
"bound_address": [
"0.0.0.0:9200"
],
"max_content_length_in_bytes": 104857600,
"publish_address": "10.244.2.0:9200"
},

So the cognitive gap here is “its a private IP, why should I need access control, firewall, passwords?” Well, cuz ‘floating IP’. You see, an IP is not in and of itself a trustworthy indication of who someone is or where they come from. You see, in this case, they are running Elasticsearch on Kubernetes. Kubernetes has assigned private IP’s internally, but an Ingress controller (a load balancer of some sort) has a public IP and reaches the internals from it.

Does this machine accept adding new data:

curl -H "Content-Type: application/json" \
  -XPUT 'http://111.231.223.122:9200/blog/user/dilbert' 
  -d '{ "name" : "Dilbert Brown" }'
{"_index":"blog",
 "_type":"user",
 "_id":"dilbert",
 "_version":2,
 "result":"updated",
 "_shards": {
  "total":2,
  "successful":2,
  "failed":0},
 "_seq_no":1,
 "_primary_term":1}

Does it allow querying?

curl -XGET 'http://111.231.223.122:9200/blog/user/dilbert?pretty=true'
{
 "_index" : "blog",
 "_type" : "user",
 "_id" : "dilbert",
 "_version" : 2,
 "found" : true,
 "_source" : {
  "name" : "Dilbert Brown"
  }
}

yes. Which means it allows querying all 36GB of its information. You could even join the cluster if you wanted.

So it seems that not only is our top-level naked (from the earlier post), but our middleware is naked too. It seems the cloud is a sort of nudist resort.

And, funny story, you see, I was going to find a picture to spice this article up. But all the ‘naked elastic middle’ image searches are a bit off-colour. But then I found that there is a Naturist (Nudist) park in Ontario that accepts Bitcoin. So thus the image above.

Learn More?

Contact 📧

Book a Meeting 📅

Try Agilicus AnyX ↗

Recent Articles

Resource Library

Upcoming Events

Past Webinars

Case Studies

Info Sheets

Key Articles

White Papers

Brochures

Videos