loading...
Cover image for Ensure services like Elasticsearch are not accessible from outside using Postman monitoring

Ensure services like Elasticsearch are not accessible from outside using Postman monitoring

romainnorberg profile image Romain Norberg ・3 min read

You will find below a technique to receive alerts if one of your services is exposed by mistake on the internet. It is a solution among many others, it has the merit of being quickly implemented and at lower cost.

Obviously it's strongly advised to trust a system administrator or to check the security section of documentation of the implemented services.

Introduction

In this example we'll take ElasticSearch. By default the service is not be accessed from outside but if we are wrong in the configuration it's quite easy for your data to be exposed.

For example, anyone can do this request:

curl -X GET "<your-webserver-url-or-ip>:9200/?pretty"

{
  "name" : "elastic-server",
  "cluster_name" : "my_cluster",
  "cluster_uuid" : "nabrNvU7S9uPhU5SYiEEjg",
  "version" : {
    "number" : "7.7.0",
    "build_flavor" : "default",
    ...
  },
  "tagline" : "You Know, for Search"
}

... and fetchs all your data easily

Postman

Postman is a collaboration platform for API development. Postman's features simplify each step of building an API and streamline collaboration so you can create better APIs—faster. (API Client, Automated Testing, Design & Mock and more)

Postman (fresh install)
Alt Text

Steps

Create collection

Create a new collection named "Monitoring"
Alt Text

Create and save new request

By clicking on the [+] button, create a new request with GET method and url: https://httpbin.org/status/200
Alt Text

Save request to Monitoring collection
Alt Text

Add test(s)

Add following code to "Test" tab:

pm.sendRequest("http://<your-webserver-url-or-ip>:9200/", function (err) {
    pm.expect(err.code).to.be.equals('ECONNREFUSED');
});

Alt Text

Click "Send" button to run your request. If the test is ✅ green it's ok but if it's 🔴 red there is a problem.

In the case where the test fail, your server has responded to the request or hasn't refused the connection.

Change the code like below, run, and open the Postman console (view> show Postman Console) to see the result:

pm.sendRequest("http://<your-webserver-url-or-ip>:9200/", function (err, reponse) {
    console.log(reponse);
    //pm.expect(err.code).to.be.equals('ECONNREFUSED');
});

Here a failing test with my local ElasticSearch server running and exposed locally on port 9209

Alt Text

Configure Monitoring

Postman API Monitoring allows you to review your API responses, availability, and performance with each run so you can ensure that your API is always healthy.

More: https://www.postman.com/api-monitor/ (and documentation: https://learning.postman.com/docs/postman/monitors/intro-monitors/)

Add new Monitoring
Alt Text

Select "Use collection from this workspace", select our collection "Monitoring" and click "Next"
Alt Text

Give a name to your Monitor and configure (Schedule, Environment, ...)
Alt Text

On this tab, click on "Show additional preferences" and check to receive email notifications for run failures and errors. Add 1 or more emails. And click "Create"
Alt Text

And voila! 🎉 Your Monitor is up and running

Web dashboard

By clicking on the '>' button of our new Collection, you have access to the "Monitor" tab
Alt Text

Click on your new Monitor in the list below tabs to open web dashboard

After several hours, or days (it all depends on the chosen schedule), you will have the test results and the performance details

Alt Text


I hope you found this tutorial useful or helped you learn more about Postman

Don't hesitate to send me your comments or tips. As indicated above it's an easy solution to implement but it should not be the only one on your server or IT infrastructure.

Posted on by:

romainnorberg profile

Romain Norberg

@romainnorberg

NO FULL STACK... BUT PROBLEM SOLVER DEVELOPER Php developer, play with Symfony and PhalconPhp frameworks. More on LinkedIn or Github

Discussion

markdown guide