弹性搜索索引经常被删除 [英] Elastic Search indexes gets deleted frequently
问题描述
我正在对Google-cloud上的个人项目进行弹性搜索,并且将其用作应用程序的搜索索引。从最近的三天开始,索引被神秘地删除。我不知道为什么,我查看了所有删除索引调用的代码,还查看了日志。仍然无法弄清楚。有什么想法吗?我该如何调试呢?
[2020-07-24T00:00:27,451] [INFO] [oecmMetaDataDeleteIndexService] [node-1] [ users_index_2 / veGpdqbNQA2ZcnrrlGIA_Q]删除索引
[2020-07-24T00:00:27,766] [INFO] [oecmMetaDataDeleteIndexService] [node-1] [blobs_index_2 / SiikUAE7Rb6gS3_UeIwElQ]删除索引
[2020-07 :00:28,179] [INFO] [oecmMetaDataCreateIndexService] [node-1] [gk01juo8o3-meow]创建索引,原因[api],模板[],分片[1] / [1],映射[]
[2020-07-24T00:00:28,776] [INFO] [oecmMetaDataCreateIndexService] [node-1] [28ds9nyf8x-meow]创建索引,原因[api],模板[],分片[1] / [1],映射[]
[2020-07-24T00:00:29,328] [INFO] [oecmMetaDataCreateIndexService] [node-1] [hw2ktibxpl-meow]创建索引,原因[api],模板[],碎片[1] / [1],映射[]
[2020-07-24T00:00:29,929] [INFO] [oecmMetaDataCreateIndexService] [node-1] [va0pzk1hfi-meow]创建索引,导致[api],模板[ ],分片[1] / [1],映射[]
[2020-07-24T00:00:30,461] [INFO] [oecmMetaDataCreateIndexService] [node-1] [ruwhw3jcx0-meow]创建索引,原因[api],模板[],分片[1] / [ 1],映射[]
[2020-07-24T00:00:30,973] [INFO] [oecmMetaDataCreateIndexService] [node-1] [wx4gylb2jv-meow]创建索引,原因[api],模板[],分片[1] / [1],映射[]
[2020-07-24T00:00:31,481] [INFO] [oecmMetaDataCreateIndexService] [node-1] [hbbmszdteo-meow]创建索引,导致[api ],模板[],分片[1] / [1],映射[]
[2020-07-24T00:00:31,993] [INFO] [oecmMetaDataCreateIndexService] [node-1] [1gi0x5277l-meow]创建索引,原因[api],模板[],分片[1] / [1],映射[]
[2020-07-24T00:00:32,494] [INFO] [oecmMetaDataCreateIndexService] [node-1 ] [sotglodbi9-meow]创建索引,原因[api],模板[],分片[1] / [1],映射[]
[2020-07-24T00:00:33,012] [INFO] [oecm MetaDataCreateIndexService] [node-1] [khvzsxctwr-meow]创建索引,原因[api],模板[],分片[1] / [1],映射[]
[2020-07-24T00:00:33,550] [INFO] [oecmMetaDataCreateIndexService] [node-1] [hgrhythm3g-meow]创建索引,原因[api],模板[],分片[1] / [1],映射[]
[2020-07-24T00:00:34,174] [INFO] [oecmMetaDataCreateIndexService] [node-1] [ejyucop7ag -meow]创建索引,原因[api],模板[],分片[1] / [1],映射[]
[2020-07-24T00:00:34,715] [INFO] [oecmMetaDataCreateIndexService] [ node-1] [n1bgkmqp8r-meow]创建索引,原因[api],模板[],分片[1] / [1],映射[]
[2020-07-24T00:00:35,241] [INFO ] [oecmMetaDataCreateIndexService] [node-1] [vsw49c4kpp-meow]创建索引,原因[api],模板[],分片[1] / [1],映射[]
[2020-07-24T00: 00:35,747] [INFO] [oecmMetaDataCreateIndexService] [node-1] [qrb5x89icr-meow]创建索引,原因[api],模板[],分片[1] / [1],映射[]
[ 2020-07-24T00:00:36,261] [INFO] [oecmMetaDataCreateIndexService] [node-1] [pv8n84itx6-meow]肌酸酐g索引,原因[api],模板[],分片[1] / [1],映射[]
[2020-07-24T00:00:36,856] [INFO] [oecmMetaDataCreateIndexService] [node-1 ] [wnnwmylxvs-meow]创建索引,原因[api],模板[],分片[1] / [1],映射[]
[2020-07-24T00:00:37,392] [INFO] [oecm MetaDataCreateIndexService] [node-1] [g5tw6w2tqb-meow]创建索引,原因[api],模板[],分片[1] / [1],映射[]
[2020-07-24T00:00:37,889 ] [INFO] [oecmMetaDataCreateIndexService] [node-1] [u7tobv31o2-meow]创建索引,原因[api],模板[],分片[1] / [1],映射[]
[2020-07 -24T00:00:38,474] [INFO] [oecmMetaDataCreateIndexService] [node-1] [ufvizrnmez-meow]创建索引,原因[api],模板[],分片[1] / [1],映射[]
[2020-07-24T00:00:38,946] [INFO] [oecmMetaDataCreateIndexService] [node-1] [0i9wszne7l-meow]创建索引,导致[api],模板[],分片[1] / [1] ,映射[]
[2020-07-24T01:30:00,001] [INFO] [oexmMlDailyMaintenanceService] [否de-1]触发计划的[ML]维护任务
[2020-07-24T01:30:00,002] [INFO] [oexmaTransportDeleteExpiredDataAction] [node-1]删除过期的数据
[2020-07- 24T01:30:00,010] [INFO] [oexmaTransportDeleteExpiredDataAction] [节点1]已删除的ML数据
的完整删除[2020-07-24T01:30:00,011] [INFO] [oexmMlDailyMaintenanceService] [节点1 ]成功完成[ML]维护任务
[2020-07-24T01:30:00,039] [INFO] [oexsSnapshotRetentionTask] [node-1]启动SLM保留快照清除任务
[2020-07- 24T01:37:43,817] [INFO] [oecmMetaDataCreateIndexService] [node-1] [.kibana]创建索引,导致[auto(bulk api)],模板[],分片[1] / [1],映射[]
您似乎被喵叫攻击。
公开网络上公开的数百个不安全数据库他的目标是进行自动的喵式攻击,这种攻击会在没有任何解释的情况下破坏数据。攻击然后扩展到其他数据库类型和网络上打开的文件系统。
来自此推文,您可以看到您遇到的攻击行为也与此相同:
在MongoDB中的日志中,您可以看到它首先删除了数据库,然后使用$ randomstring-meow
创建了新数据库。请确保您在不要为您的数据库使用默认的用户名和密码,并且已配置好配置,以避免与公众进行互动。如果需要授予对数据库的访问权限,请使用具有基于密钥的身份验证的API,并且仅允许最低限度的最低功能。
编辑#1:您可以观察受攻击的数据库在shodan.io上浏览。
编辑#2 :有关防止这种(和其他)攻击的更多建议(来自HackerNews用户 contrarianmop ) :
根据经验,如果托管Web应用程序,则永远不要暴露80和443端口。
如果您必须公开除http / s之外的服务,则请确保不要泄漏其版本,请对其进行正确保护并始终保持最新。运行此类服务的用户还应该是非特权用户,并已将守护进程更改为chroot,并且操作系统应具有适当的进程和文件系统权限。
编辑#3:关于为什么攻击者使用术语喵的有趣理论。是因为猫喜欢从桌子中掉落(或敲击)物品。
I'm running an elastic search for a personal project on google-cloud and I use as a search index for my application. From the last 3 days, indexes are getting deleted mysteriously. I have no clue why, I looked at all my code for any delete index calls, also looked at logs. Still not able to figure it out. Any thoughts? How can I debug this?
[2020-07-24T00:00:27,451][INFO ][o.e.c.m.MetaDataDeleteIndexService] [node-1] [users_index_2/veGpdqbNQA2ZcnrrlGIA_Q] deleting index
[2020-07-24T00:00:27,766][INFO ][o.e.c.m.MetaDataDeleteIndexService] [node-1] [blobs_index_2/SiikUAE7Rb6gS3_UeIwElQ] deleting index
[2020-07-24T00:00:28,179][INFO ][o.e.c.m.MetaDataCreateIndexService] [node-1] [gk01juo8o3-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []
[2020-07-24T00:00:28,776][INFO ][o.e.c.m.MetaDataCreateIndexService] [node-1] [28ds9nyf8x-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []
[2020-07-24T00:00:29,328][INFO ][o.e.c.m.MetaDataCreateIndexService] [node-1] [hw2ktibxpl-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []
[2020-07-24T00:00:29,929][INFO ][o.e.c.m.MetaDataCreateIndexService] [node-1] [va0pzk1hfi-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []
[2020-07-24T00:00:30,461][INFO ][o.e.c.m.MetaDataCreateIndexService] [node-1] [ruwhw3jcx0-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []
[2020-07-24T00:00:30,973][INFO ][o.e.c.m.MetaDataCreateIndexService] [node-1] [wx4gylb2jv-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []
[2020-07-24T00:00:31,481][INFO ][o.e.c.m.MetaDataCreateIndexService] [node-1] [hbbmszdteo-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []
[2020-07-24T00:00:31,993][INFO ][o.e.c.m.MetaDataCreateIndexService] [node-1] [1gi0x5277l-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []
[2020-07-24T00:00:32,494][INFO ][o.e.c.m.MetaDataCreateIndexService] [node-1] [sotglodbi9-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []
[2020-07-24T00:00:33,012][INFO ][o.e.c.m.MetaDataCreateIndexService] [node-1] [khvzsxctwr-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []
[2020-07-24T00:00:33,550][INFO ][o.e.c.m.MetaDataCreateIndexService] [node-1] [hgrhythm3g-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []
[2020-07-24T00:00:34,174][INFO ][o.e.c.m.MetaDataCreateIndexService] [node-1] [ejyucop7ag-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []
[2020-07-24T00:00:34,715][INFO ][o.e.c.m.MetaDataCreateIndexService] [node-1] [n1bgkmqp8r-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []
[2020-07-24T00:00:35,241][INFO ][o.e.c.m.MetaDataCreateIndexService] [node-1] [vsw49c4kpp-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []
[2020-07-24T00:00:35,747][INFO ][o.e.c.m.MetaDataCreateIndexService] [node-1] [qrb5x89icr-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []
[2020-07-24T00:00:36,261][INFO ][o.e.c.m.MetaDataCreateIndexService] [node-1] [pv8n84itx6-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []
[2020-07-24T00:00:36,856][INFO ][o.e.c.m.MetaDataCreateIndexService] [node-1] [wnnwmylxvs-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []
[2020-07-24T00:00:37,392][INFO ][o.e.c.m.MetaDataCreateIndexService] [node-1] [g5tw6w2tqb-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []
[2020-07-24T00:00:37,889][INFO ][o.e.c.m.MetaDataCreateIndexService] [node-1] [u7tobv31o2-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []
[2020-07-24T00:00:38,474][INFO ][o.e.c.m.MetaDataCreateIndexService] [node-1] [ufvizrnmez-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []
[2020-07-24T00:00:38,946][INFO ][o.e.c.m.MetaDataCreateIndexService] [node-1] [0i9wszne7l-meow] creating index, cause [api], templates [], shards [1]/[1], mappings []
[2020-07-24T01:30:00,001][INFO ][o.e.x.m.MlDailyMaintenanceService] [node-1] triggering scheduled [ML] maintenance tasks
[2020-07-24T01:30:00,002][INFO ][o.e.x.m.a.TransportDeleteExpiredDataAction] [node-1] Deleting expired data
[2020-07-24T01:30:00,010][INFO ][o.e.x.m.a.TransportDeleteExpiredDataAction] [node-1] Completed deletion of expired ML data
[2020-07-24T01:30:00,011][INFO ][o.e.x.m.MlDailyMaintenanceService] [node-1] Successfully completed [ML] maintenance tasks
[2020-07-24T01:30:00,039][INFO ][o.e.x.s.SnapshotRetentionTask] [node-1] starting SLM retention snapshot cleanup task
[2020-07-24T01:37:43,817][INFO ][o.e.c.m.MetaDataCreateIndexService] [node-1] [.kibana] creating index, cause [auto(bulk api)], templates [], shards [1]/[1], mappings []
It looks like you are getting hit by a meow attack.
Hundreds of unsecured databases exposed on the public web are the target of an automated 'meow' attack that destroys data without any explanation.
The activity started recently by hitting Elasticsearch and MongoDB instances without leaving any explanation, or even a ransom note. Attacks then expanded to other database types and to file systems open on the web.
From this tweet, you can see that you are experiencing the same behavior seen by these attacks:
From the logs in MongoDB you can see it drops databases first then create new ones with $randomstring-meow
Please ensure that you are not using a default username and password for your DB and that your configuration is set up to avoid public-facing interactions. If you need to give access to your DB, use an API with key based auth, and only the bare minimum capabilities allowed.
Edit #1: You can obvserve the attacked databases here on shodan.io.
Edit #2: Some more advice for protecting from this (and other) attacks (from HackerNews user contrarianmop):
Also as a rule of thumb never ever expose anything but port 80 and 443 if hosting a webapp.
If you must expose services other than http/s then be sure to not leak its version, have it secured properly and always up to date. The user running such services should also be a non privileged user, the daemon chrooted, and the OS should have appropriate process and filesystem permissions in place.
Edit #3: An interesting theory as to why the attacker used the term "meow" is because cats like to drop (or knock) items from tables.
这篇关于弹性搜索索引经常被删除的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
