Protecting Graylog from Data Ransom Attacks

January 23, 2017

As you may have read, there are currently ongoing data ransom attacks on misconfigured databases like MongoDB and Elasticsearch. The attacks are not exploiting a security issue in these tools, but hackers simply search for instances that are not password protected and are accessible from the internet.

We have seen multiple Graylog setups that were affected by these attacks and wanted to provide a reminder about a few things to check in your configuration. In particular, the Graylog virtual machine image has a very open default setting and is not meant to run in an environment that allows access from the outside or even from the internet.


Make sure that MongoDB has user authentication set up. You can follow the official MongoDB documentation on this topic.

Let MongoDB run in a trusted network environment and limit the interfaces on which MongoDB instances listen for incoming data. Check your mongodb.conf for the bindIP setting and lock it down to as minimal as possible exposure to the rest of the network.


As with MongoDB, limit on which network interfaces Elasticsearch is listening by configuring the setting as described in the Elasticsearch documentation.


Make sure that your infrastructure is running behind a firewall that does not allow access from the outside. There is usually no reason for internet access to the databases behind Graylog.

Written By

Add Graylog to your RSS feed
How to use RSS
RSS feeds allow you to see when websites have added new content. You can get the new content as soon as it's published, without having to visit the website. To start getting RSS feeds you will need a RSS feed reader on your device.
Back to Blog Posts

Stay In The Know

Get Graylog email updates and be the first to know about new content, product updates, and tips and tricks!