[Bug 902086] Review request: Elasticsearch

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



https://bugzilla.redhat.com/show_bug.cgi?id=902086



--- Comment #125 from Jörg Prante <joergprante@xxxxxxxxx> ---
(In reply to Zbigniew Jędrzejewski-Szmek from comment #120)
> (In reply to jiri vanek from comment #116)
> > (In reply to Zbigniew Jędrzejewski-Szmek from comment #115)
> > > (In reply to jiri vanek from comment #100)
> > > > > Second question: elasticsearch listens on 0.0.0.0:9200 by default, accepting
> > > > > commands from the internet. 
> > > > > This has to be fixed. Maybe a default configuration to limit it to ::1
> > > > > should be added. I don't know what,
> > > > > but something has to be done.
> > > > 
> > > > Afaik no simple option here. The firewalld shopud do this job or any other
> > > > deployment tool like nginx  or similar...
> > > The problem is that Workstation product runs with firewall disabled. People
> > 
> > How come? Wasnt it vice versa until recently?
> You missed the big discussion on fedora-devel apparently. Short version is
> that Workstation working group proposed disabling the firewall, which FESCo
> rejected, so instead that made a firewall with all ports allowed, which
> FESCo approved, or at least declined to disapprove.
> 
> > > might install ES without realizing that it listens on the network by
> > > default. Even if it is documented somewhere. It is also very likely that ES
> > > will become a dependency of other packages. Having it default to accepting
> > > commands from the network seems like something that will bite our users.
> > > "Secure by default" is the general principle.
> > > 
> > Hmm. I agree. But currently  no idea. Crap.
> I think socket activation would be the best way to go. It would solve two
> problems: listening on public address, and startup synchronization.
> 
> When I wrote comment #c93, I didn't know that upstream is sympathetic to
> doing socket activation. It might not be trivial with Java, but this would
> be the perfect solution in the long run.

I am not familiar with the details of the discussion, but if you are about to
consider to modify Elasticsearch for restricting HTTP port 9200 to open on a
site-local network socket only, please see my patch

https://github.com/jprante/elasticsearch/commit/42392350850ae58b73f5a39939bc245f4faf2f44

This is for HTTP only and can block external requests by a default
configuration. Please note, it is only complete with a solution for
Elasticsearch node protocol port 9300, which is very similar.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
_______________________________________________
package-review mailing list
package-review@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/package-review





[Index of Archives]     [Fedora Legacy]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]