search

CrowdDotDev / crowd.dev

⚡️ The developer data platform to centralize community, product, and customer data
https://crowd.dev
Other
3.27k stars 756 forks source link

Exposed Elasticsearch instance #2517

Open zecar opened 1 month ago

zecar commented 1 month ago

crowd.dev edition

Community (self hosted)

Version

No response

Link

No response

Describe the problem

We've got a warning from the Federal Office for Information Security that an instance of elasticsearch is running unprotected and is reachable via internet

I tried to search through the code and found "elasticmq". So I used iptables to block port 9324.

A few days later the server was taken down because the instance was still reachable

Can you provide some info about securing the self hosted version? Or at least some direction towards securing the elastic instance?

Describe the improvement

improved docs about self hosted version

Additional context

No response

joanagmaia commented 1 month ago

Hey @zecar 👋

Everything in our scaffold.yaml is exposed to the internet, including all services with REST APIs. As a host, you need to manage the firewall yourself.

Regarding your concern, ElasticMQ is our SQS alternative for local development/self-hosting, and we use OpenSearch instead of Elasticsearch. You should protect OpenSearch by checking the scaffold.yaml file in our scripts and blocking all listed ports from internet access: https://github.com/CrowdDotDev/crowd.dev/blob/main/scripts/scaffold.yaml.

We don't provide a firewall solution, and neither do other open-source projects. OpenSearch is based on Elasticsearch, using the same ports and clients, which might explain the detection confusion.

If you run docker ps you'll be able to see all the exposed ports