Port 9200 · Elasticsearch

What runs on port 9200

Elasticsearch is a search and analytics engine. Default REST API binds to TCP/9200. Pre-7.0 builds shipped without authentication enabled and could be queried, modified, or deleted by anyone reaching the port.

Why public exposure is dangerous

Exposed Elasticsearch indices have been the source of multiple massive personal-data leaks — millions of records exposed in retrieval-as-a-service incidents because admin defaults bound to all interfaces. Mass-ransom campaigns paralleling the MongoDB ones swept Elasticsearch instances in 2017–2018.

How to lock it down

Bind to `127.0.0.1` or a private interface via `network.host` in `elasticsearch.yml`. Enable security with the X-Pack security module (free since 7.1) — `xpack.security.enabled: true`. Set strong passwords for `elastic` and per-application users. Restrict by IP via host firewall. Use TLS for both transport and REST.

When public exposure is legitimate

Internal-network access from application servers. Public exposure is appropriate only for narrowly scoped read-only search APIs — and even then, deploy a reverse proxy with auth in front, never expose Elasticsearch directly.

Other ports DomainCare scans

• :3306 MySQL — MySQL listens on port 3306 by default. Public exposure is a critical data-leak risk.
• :5432 PostgreSQL — PostgreSQL listens on port 5432 by default. Public exposure is a critical data-leak risk equivalent to MySQL.
• :6379 Redis — Redis listens on port 6379 by default. Public exposure historically allows unauthenticated arbitrary code execution.
• :27017 MongoDB — MongoDB listens on port 27017 by default. Historically responsible for the largest single data-leak class — pre-3.0 builds shipped without authentication enabled.