by JoKeru

Secure your ELK environment

So you've got your ELK setup - let's suppose you've installed all components (logstash and elasticsearch) on the same server.
Everything is looking great, but there is one "little" security problem: everybody can access it, and you don't want that :)

It's time to take action !

Secure the access to logstash-web service:
[cc lang='bash']
\$ iptables -A INPUT -i eth0 -p tcp --destination-port 9292 -j DROP

Secure the access to elasticsearch:
[cc lang='bash']
\$ iptables -A INPUT -i eth0 -p tcp --destination-port 9200 -j DROP
\$ iptables -A INPUT -i eth0 -p tcp --destination-port 9300 -j DROP

Secure the access to logstash elasticsearch node:
[cc lang='bash']
\$ iptables -A INPUT -i eth0 -p tcp --destination-port 9301 -j DROP

Change the way kibana requests the data from elasticsearch:
[cc lang='bash']
\$ sed -i 's/":9200",/"\/elasticsearch",/' /opt/logstash/vendor/kibana/config.js

And finally we're going to install a Reverse Proxy using Authentication for the logstash-web access:
[cc lang='bash']
\$ apt-get install apache2
\$ apt-get install libapache2-mod-proxy-html
\$ a2enmod proxy_http
\$ echo "ServerName "`hostname -s` > /etc/apache2/conf.d/fqdn

\$ cat \<\<'EOF' > /etc/apache2/conf.d/dashboard

ErrorLog \${APACHE_LOG_DIR}/dashboard.error.log
CustomLog \${APACHE_LOG_DIR}/dashboard.access.log common

AuthType Basic
AuthName "Private"
AuthUserFile /var/www/.htpasswd
Require valid-user

ProxyPass /elasticsearch/
ProxyPassReverse /elasticsearch/

ProxyPass /
ProxyPassReverse /

\$ htpasswd -c /var/www/.htpasswd admin
\$ /etc/init.d/apache2 restart
\$ apachectl -S