[Bug 902086] Review request: Elasticsearch
bugzilla at redhat.com
bugzilla at redhat.com
Thu Feb 19 15:07:30 UTC 2015
https://bugzilla.redhat.com/show_bug.cgi?id=902086
--- Comment #125 from Jörg Prante <joergprante at gmail.com> ---
(In reply to Zbigniew Jędrzejewski-Szmek from comment #120)
> (In reply to jiri vanek from comment #116)
> > (In reply to Zbigniew Jędrzejewski-Szmek from comment #115)
> > > (In reply to jiri vanek from comment #100)
> > > > > Second question: elasticsearch listens on 0.0.0.0:9200 by default, accepting
> > > > > commands from the internet.
> > > > > This has to be fixed. Maybe a default configuration to limit it to ::1
> > > > > should be added. I don't know what,
> > > > > but something has to be done.
> > > >
> > > > Afaik no simple option here. The firewalld shopud do this job or any other
> > > > deployment tool like nginx or similar...
> > > The problem is that Workstation product runs with firewall disabled. People
> >
> > How come? Wasnt it vice versa until recently?
> You missed the big discussion on fedora-devel apparently. Short version is
> that Workstation working group proposed disabling the firewall, which FESCo
> rejected, so instead that made a firewall with all ports allowed, which
> FESCo approved, or at least declined to disapprove.
>
> > > might install ES without realizing that it listens on the network by
> > > default. Even if it is documented somewhere. It is also very likely that ES
> > > will become a dependency of other packages. Having it default to accepting
> > > commands from the network seems like something that will bite our users.
> > > "Secure by default" is the general principle.
> > >
> > Hmm. I agree. But currently no idea. Crap.
> I think socket activation would be the best way to go. It would solve two
> problems: listening on public address, and startup synchronization.
>
> When I wrote comment #c93, I didn't know that upstream is sympathetic to
> doing socket activation. It might not be trivial with Java, but this would
> be the perfect solution in the long run.
I am not familiar with the details of the discussion, but if you are about to
consider to modify Elasticsearch for restricting HTTP port 9200 to open on a
site-local network socket only, please see my patch
https://github.com/jprante/elasticsearch/commit/42392350850ae58b73f5a39939bc245f4faf2f44
This is for HTTP only and can block external requests by a default
configuration. Please note, it is only complete with a solution for
Elasticsearch node protocol port 9300, which is very similar.
--
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
More information about the package-review
mailing list