Enable Elasticsearch security
/etc/elasticsearch/elasticsearch.ymlxpack.security.enabled: truesudo systemctl restart elasticsearchOn 8.x and 9.x this is already true — the finding is when it’s been set to
false. On 7.x it defaults to absent, which means off.
Why it matters
Section titled “Why it matters”With security disabled, Elasticsearch has no concept of a user. Every request to port 9200 is honoured in full: read every index, delete every index, read the cluster’s configuration, and — historically — run code. There is no password to guess because there is no password.
This is the setting that made Elasticsearch the most breached database on the
internet for years. A cluster with xpack.security.enabled: false reachable from
an untrusted network is not at risk of compromise; it is compromised the moment
someone connects.
The two situations
Section titled “The two situations”On 8.x and 9.x, someone turned it off. Auto-configuration enables security on
first start, so a modern cluster running insecure got that way deliberately. The
reason is almost always the same: a client failed to connect — usually because it
wasn’t sending credentials or wasn’t trusting the auto-generated certificate — and
xpack.security.enabled: false made the error stop.
That “fix” trades an authentication error for an open database. The real fix is to make the client authenticate and trust the certificate, which is built-in users and TLS — not turning the wall off.
On 7.x, it was never on. Elasticsearch 7.x ships with security disabled by
default. If nobody added xpack.security.enabled: true, the cluster is open, and
has been since it was installed. 7.x is also end of life, so the durable fix is to
enable security and plan the upgrade — an unsupported version accumulates
unpatched holes regardless of this setting.
Free since 2019
Section titled “Free since 2019”If the reason security is off is a belief that it costs money: it doesn’t, and hasn’t since 2019. Authentication, RBAC and TLS are in the free Basic tier from 6.8 / 7.1 onward. The only thing on this whole checklist that needs a paid subscription is audit logging.
Enabling it requires no license key and no registration.
Related
Section titled “Related”- Built-in users and passwords — the accounts this creates.
- Enable TLS — the other half of the auto-configuration.
- Elasticsearch exposed to the internet — what off means.