Protecting Graylog from Data Ransom Attacks
As you may have read, there are currently ongoing data ransom attacks on misconfigured databases like MongoDB and Elasticsearch. The attacks are not exploiting a security issue in these tools, but hackers simply search for instances that are not password protected and are accessible from the internet.
We have seen multiple Graylog setups that were affected by these attacks and wanted to provide a reminder about a few things to check in your configuration. In particular, the Graylog virtual machine image has a very open default setting and is not meant to run in an environment that allows access from the outside or even from the internet.
Make sure that MongoDB has user authentication set up. You can follow the official MongoDB documentation on this topic.
Let MongoDB run in a trusted network environment and limit the interfaces on which MongoDB instances listen for incoming data. Check your mongodb.conf for the bindIP setting and lock it down to as minimal as possible exposure to the rest of the network.
As with MongoDB, limit on which network interfaces Elasticsearch is listening by configuring the network.host setting as described in the Elasticsearch documentation.
Make sure that your infrastructure is running behind a firewall that does not allow access from the outside. There is usually no reason for internet access to the databases behind Graylog.