Elastic server is publicly accessible, without authentication #287
Comments
|
Ah, I guess we've assumed API Umbrella is behind some other type of load balancer or firewall that would prevent access on non-HTTP/HTTPS ports, but that's probably not a good assumption to make. Thanks for bringing this to our attention. We'll look to get this fixed in the next release (although, it will probably be next week before we can get to it). What we'll probably do is bind elasticsearch to localhost-only (which Elasticsearch has also made the default behavior in v2). If you want to make that change now, you can do so with the following additions to your elasticsearch:
embedded_server_config:
network:
host: 127.0.0.1This will mean you'll have to tweak that setting if you need any other servers to access Elasticsearch directly. For a default API Umbrella installation, that would mean that the servers running the If you're calling Elasticsearch directly in the apinf dashboard, though, I'm not quite sure if there's a simple alternative. I think you'd need some sort of server-side layer in-between to deal with access control, which is what the analytics APIs that are part of the |
|
Ping @shaliko @frenchbread. Please read the above changes related to Elastic analytics, as it will probably affect our packaging and dashboard integration. |
|
@GUI we can start using the API Umbrella API to fetch analytics data. Are there endpoint(s) where we can get custom aggregations or filters, such as binning/filtering results by response time or status code? Is this something that the Kylin transition will help with? |
If you were running API Umbrella on an unprotected network without firewall rules in place, this could have allowed external access to these databases. Now if you're setting up a multi-server environment, then you must explicitly change these settings so that the servers are listening on a public interface (eg, 0.0.0.0 so cross-server communication can happen). By making this configuration explicit, it should hopefully ensure the appropriate firewall/network rules get put in place to protect these services in a multi-server environment (but a default single-server environment won't be open if running on an unprotected network). This also aligns with the newer defaults in Elasticsearch 2 (https://www.elastic.co/guide/en/elasticsearch/reference/current/breaking_20_network_changes.html) and MongoDB's default rpm/deb package installations (https://jira.mongodb.org/browse/SERVER-792). See #287
|
Sorry it took so long for us to get this out in a packaged release, but this has finally landed in v0.14.0. Thanks again for the report! This also affected our embedded Mongo instances, so if you can't upgrade immediately and you're on an unprotected network, you should probably check that setup. Here's a documentation page we've added covering network binds: https://api-umbrella.readthedocs.io/en/latest/server/multi-server.html#bind-address |
|
cc: @shaliko this might affect our packaging. |
|
@brylie thank for notice, will do few tests. |
As part of our integration with API Umbrella, we are making calls directly to the API Umbrella Elastic analytics server. The calls we make do not use authentication, meaning we can access the full analytics data for the server in an insecure manner (similarly for anyone else with the proper knowledge).
How can we secure the API Umbrella Elastic analytics server?
The text was updated successfully, but these errors were encountered: