0

I am learning to run Elasticsearch in a Docker container on a laptop. For a start, I expect running it on localhost. The laptop is connected to the Internet.

Is that unsafe? I remember that ipython/jupyter notebooks also run on localhost. The Elastic docs confuses me:

Note that the above command starts the service with authentication and encryption disabled, which means that anyone who connects to the service will be given access... you should never run the service in this way in production, or in a computer that is directly connected to the Internet. - https://www.elastic.co/search-labs/tutorials/install-elasticsearch/docker

To try out Elasticsearch on your own machine, we recommend using Docker and running both Elasticsearch and Kibana... Starting in Elasticsearch 8.0, security is enabled by default. - https://www.elastic.co/guide/en/elasticsearch/reference/current/run-elasticsearch-locally.html

And a previous question seems related but is unclear to me. Or perhaps I am asking How can I securely develop a local webapp at a coffee shop?

edit ad Sir Muffington's comment:

# docker-compose.yml
version: '3'
services:
  elasticsearch:
    build:
      context: .
      dockerfile: Dockerfile
    image: docker.elastic.co/elasticsearch/elasticsearch:8.11.0
    container_name: elasticsearch
    ports:
      - "127.0.0.1:9200:9200"
Johan
  • 103
  • 4
  • 1
    A warm welcome to the community. It depends whether you expose the ports. What docker command/docker-compose.yml are you trying to run? – Sir Muffington Jan 10 '24 at 20:49
  • 1
    The first message is telling you that there is no user authentication happening and you have something running on localhost. That means that an internet site could make a call to localhost via your browser and possibly execute a command or retrieve data. – browsermator Jan 10 '24 at 21:33
  • Many thanks to both of you. I added the content of an initial docker-compose.yml. @SirMuffington, the Docker docs says the ports argument/parameter exposes the specified ports. Is there any way around, that is, can I run Elasticsearch on localhost without exposing it? And what would that entail for my ability to later try to query the ES index, but to insert documents/data and to request it? – Johan Jan 11 '24 at 08:42
  • @pcalkins does that suggest that I reduce the risk of external calls to my localhost by not browsing the internet while playing around with this ES-docker stuff? – Johan Jan 11 '24 at 09:25
  • Ok, having read about the loopback IP address, as far as I understand, using that will not expose localhost externally. Feel free to answer something short like that and I will be sure to credit it. – Johan Jan 11 '24 at 09:52
  • 1
    @Johan. Yes... or at least be careful what sites you browse while that localhost server is running. Better to secure it with some kind of authentication, and be aware of CSRF, XSS attacks. CORS rules in the browser will already help quite a bit. – browsermator Jan 11 '24 at 17:30
  • @pcalkins thanks for explaining that. That ought to go into the accepted answer, really :-) – Johan Jan 11 '24 at 19:42

1 Answers1

0

It seems like according to the information provided the ElasticSearch API is being exposed from port 9200 to port 9200 on the host and depending on your hardware and software firewalls, WAFs etc. might or might not be exposed to the internet, which could potentially lead to RCE or similar exploits. That's why the warning is there.

Please take note that ufw and similar solutions apparently do not work with Docker and should also be taken into account.

Open port 9200 is required by Kibana though (inside the cluster and NOT to the Internet!).

Sir Muffington
  • 1,611
  • 2
  • 13
  • 25
  • Hi Sir Muffington, I'll accept the answer. But please also comment on the loopback ip 127.0.0.1 aka localhost , since that is what helped me forward. I believe, if I understand correctly, that this string "127.0.0.1:9200:9200" is what makes the docker service not exposed to the Internet. Please correct me if I am wrong, but that is what I came to conclude upon reading your initial comment that 'it depends on whether the ports are exposed'. – Johan Jan 11 '24 at 19:40
  • 1
    @Johan try to port scan from outside the internet and in the local net and on the host itself and you shall find out ;-) I think by default localhost should only expose to the LAN and not further but I can't quite guarantee that, hence you should port scan to be sure. – Sir Muffington Jan 12 '24 at 18:50
  • 1
    If any other issues arise please let me know. – Sir Muffington Jan 12 '24 at 18:55