An unauthenticated threat actor can gain administrator access to Search Guard by entering the default credentials, i.e., admin: admin. In this way, this user has full access to the Elastic cluster and all indices. We want to prevent users from accessing Elasticsearch by using the default password.
We can address this vulnerability by changing the default password for Elasticsearch.
Open GroupID Management Console.
Go to the Replication node.
Go to the Search Guard Change Password section.
Provide the default password, which is admin, in the Current Password box.
Enter a new password in the New Password and Confirm New Password boxes.
Click Change Password.
Once you see the successful password change message, try logging into Elasticsearch in your browser with the new password to ensure that the password has been changed successfully.
Note: Elastic service and replication automatically restart once you change the password. Any requests going to the Elastic service will be disrupted during the change process for 2 to 4 seconds only. Once you see the success message, everything is back to normal, which should be visible within seconds. If you have multiple GroupID servers, you need to perform the same steps on those servers also.
Once the password is changed on all the GroupID servers, verify the following:
Verify the Elastic cluster state by executing the following URL:
Verify the cluster health by executing the following URL:
In the end, all nodes should be in green. Verify by executing the following URL:
http://ServerName:9200/_cat/indices? Note: Make sure that you keep a copy of the new password safe, as this is not easily recoverable.