Exposed Elasticsearch (Port 9200)
detect, harden, and verify closure

Cloud security group rule too broad

An AWS security group, Azure NSG, GCP firewall rule, or DigitalOcean rule opens TCP 9200 to 0.0.0.0/0 during a Terraform run, a Helm install, a migration, a debug session, a vendor handoff, or a log-pipeline recovery exercise. The rule is never narrowed, and a public Elasticsearch listener persists across image rebuilds, autoscaling events, cluster recovery, and account migrations.

Security plugin disabled

xpack.security.enabled is set to false in elasticsearch.yml (or plugins.security.disabled is set to true on OpenSearch) to make a development build start cleanly, the setting survives into production, and the cluster accepts every request without authentication. The legacy Shield plugin or older Search Guard is unconfigured. Anonymous access is permitted by default on cluster bring-up and never closed.

network.host bound to 0.0.0.0

network.host is set to 0.0.0.0, _site_, or an external interface name in elasticsearch.yml or as the network.host environment variable in a container image. The listener answers on every interface rather than the private cluster network. The discovery transport on 9300 inherits the same bind, exposing the inter-node protocol to anyone who can reach the host.

Outdated Elasticsearch or OpenSearch build

Long-lived virtual machines, frozen container images, vendor-distributed appliances, and home-grown installs run an engine release several years behind the upstream support window. End-of-life branches receive no security backports. The Log4j 2.x family (CVE-2021-44228, 45046, 45105, and 44832) still resolves to vulnerable jars across legacy 6.x and unpatched 7.x clusters. Historic remote code execution CVEs (CVE-2014-3120, CVE-2015-1427, CVE-2015-3337) and the Groovy and Painless sandbox escapes remain exploitable on aged builds.

Reverse proxy or Kibana exposes the cluster indirectly

Elasticsearch sits behind a Kibana, OpenSearch Dashboards, Grafana, or nginx reverse proxy that itself terminates on a public load balancer with no authentication, weak basic auth, an allowlisting rule that catches more callers than intended, or a path that forwards arbitrary REST queries upstream. The Elasticsearch listener stays bound to a private interface, but the proxy turns the cluster into a public endpoint anyway.

No TLS on REST or transport

xpack.security.transport.ssl.enabled and xpack.security.http.ssl.enabled are off (or the OpenSearch plugins.security.ssl.* equivalents). Cluster traffic between nodes and queries from clients travel as plaintext. A network attacker who reaches the same subnet, a misrouted VPC peering route, or a compromised side host reads queries, basic-auth headers, and document responses directly off the wire and replays a session.

Automated detection

• SecPortal's external scanner port-scan module probes TCP 9200, 9300, and 5601 across every verified domain and host in scope, identifies the responding service as Elasticsearch, OpenSearch, Kibana, or OpenSearch Dashboards through banner and HTTP response detection, and raises a critical-severity finding under the rule that search and database services should never be directly exposed to the internet.
• Continuous monitoring re-runs the external scan on a schedule, so a security-group edit, a Terraform apply, a cluster recovery, an autoscale event, or a recovered backup host that re-exposes 9200 reopens the finding rather than leaving the regression invisible until the next audit cycle.
• Bulk import accepts Nessus, Burp, and CSV output from network-tier scanners and from Shodan and Censys exports that already list exposed Elasticsearch and OpenSearch instances, so the catalogue stays centralised even when a third-party tool is the original discovery source.

Manual verification

• Use nmap -p 9200,9300,5601 with service detection (-sV) and the http-elasticsearch-head script against the external range to confirm the listener, then issue curl http://target:9200/ to read the cluster name, the engine version, the Lucene version, the tagline, and the build hash from the root response without sending a credential.
• Request /_cluster/health, /_cat/indices?v, /_cat/nodes?v, and /_security/user against each reachable listener. A 200 response without authentication on any of these paths is the definitive proof of an unauthenticated cluster.
• Cross-reference the Elasticsearch or OpenSearch version banner against the vendor security advisory page, the Apache Log4j 2 advisory feed, and the CISA Known Exploited Vulnerabilities catalogue to identify whether any unpatched CVE (Log4Shell, Groovy or Painless sandbox escape, snapshot path traversal, server-side request forgery in search) is present.
• Check Shodan and Censys for the organisation's netblocks and known hostnames to see whether external observatories already list exposed Elasticsearch instances and the banners they advertise, then reconcile that list against the verified-domain inventory inside the workspace.

Surface every Elasticsearch listener on one finding record

External scanning and bulk import land every exposed-Elasticsearch detection on the findings management record with CVSS, the discovered host, the captured banner, the engine version, the Lucene version, the scan timestamp, and the named owner so the catalogue is a single source of truth rather than a Shodan tab, a spreadsheet, and a Slack thread.

Inspect cluster configuration through authenticated scans

Where the team has authorisation, the authenticated scanning path reads the responding service in more detail and pairs the result with the per-host hardening record. Credentials for authenticated runs live in encrypted credential storage scoped to a verified domain so the same cluster secret is not copied across spreadsheets, chat threads, and pull-request bodies.

Run remediation as a tracked workflow

Each finding flows through the remediation tracking workflow with severity, target close date, named owner, and the agreed compensating control (for example, an inbound source allowlist while the PrivateLink endpoint is provisioned, or a temporary firewall rule while xpack.security is enabled and passwords are reset). Permanent exceptions enter the eight-field exception register with a named approver, a rationale, an effective period, and a renewal cadence.

Verify the fix with retest

Once the firewall rule, security-group edit, elasticsearch.yml change, plugin re-enable, host retirement, or migration to a managed service completes, the retesting workflow re-runs the external scan, confirms the listener is gone or that the responding service now requires authentication on a private interface, and stamps the closure with timestamped evidence rather than a verbal sign-off in a stand-up.

Catch regressions through continuous monitoring

Scheduled continuous monitoring re-scans of verified domains reopen the finding if Elasticsearch returns to the public internet, if the banner drops back to an end-of-life build, or if a new cloud account joins the estate with an open 9200. A Terraform apply, a cluster recovery, an autoscaler refresh, a Helm chart rollback, or a recovered snapshot does not silently reintroduce the exposure.

Pair with the broader exposure catalogue

Exposed Elasticsearch rarely shows up alone. The same host frequently exposes MongoDB, SSH misconfiguration, default credentials, or sensitive data exposure. Treating Elasticsearch exposure as one finding inside a host-level posture review keeps the queue ordered against real residual risk rather than chasing isolated ports one at a time.

Carry the audit trail through closure

The activity log records who opened, scoped, remediated, and verified each exposed-Elasticsearch finding, so the next ISO 27001, SOC 2, PCI DSS, HIPAA, or cyber-insurance review reads the operating evidence from the record rather than from reconstructed memory, archived ticket exports, or screenshots taken weeks after the fact. Where a breach-notification clock starts, the breach-notification workflow reads from the same record.

Communicate posture in leadership language

When search and observability exposure sits inside a broader programme review, the Claude-drafted AI report composes a leadership-ready narrative from the open and closed findings, the remediation cadence, and the linked compliance evidence. The same record drives security leadership reporting without rebuilding the slide deck by hand each quarter.

Self-hosted Elasticsearch on cloud VMs

EC2, Compute Engine, Azure VM, and DigitalOcean droplet deployments of community-edition Elasticsearch and OpenSearch make up the bulk of historic exposure events. Replace standing 0.0.0.0/0 security-group rules with private subnets, security-group source restrictions to application and observability tiers, and managed bastion access for human operators. Move long-lived production workloads onto Elastic Cloud, AWS OpenSearch Service, Azure Elastic, or another managed offering where the network boundary is built in and the security plugin is enabled by default.

Managed Elasticsearch with permissive access policy

Managed Elasticsearch and OpenSearch inherit the deployment defaults of whoever provisioned them. A 0.0.0.0/0 access policy on AWS OpenSearch Service, a project-wide superuser role granted by accident, an unrotated programmatic API key, an Elastic Cloud deployment with public endpoint enabled, or a peering route that reaches the wrong VPC creates the same exposure pattern as a self-hosted listener. Bind every cluster to PrivateLink, VPC peering, or a customer-managed VPC, enforce role-based access on indices, rotate programmatic API keys quarterly, and use the managed audit log as the source of truth for who connected when.

Containerised Elasticsearch in dev, test, and CI

Dockerised Elasticsearch instances inherit the official image defaults, environment-variable initialisation, and quickstart Compose files. A misrouted bridge network, a kubectl port-forward left running, an exposed service of type LoadBalancer, or an ingress-controller rule that catches more traffic than intended reopens 9200 quickly. Bake xpack.security.enabled true in the Helm chart, default to network.host 127.0.0.1 in dev compositions, and treat any LoadBalancer service for a search or logging cluster as a finding to triage.

Legacy Elasticsearch on aged builds

Long-lived virtual machines, vendor-distributed appliances, customer-managed instances at acquired companies, log-archive clusters that nobody currently owns, and home-grown installs run an Elasticsearch release several years behind the upstream support window. End-of-life branches receive no security backports. Track these hosts on the finding record with the build identifier, the Lucene version, the maintainer contact, and the upgrade path. Where the host cannot be upgraded immediately, isolate it behind a managed network access boundary and document the residual risk decision in the exception register.