Skip to content
PortsDB

Port reference

Port 9200 (TCP) – Elasticsearch HTTP API

Default port for the Elasticsearch REST/HTTP API used to query and index data.

tcpRegisteredCommonly attacked

Default state

Older Elasticsearch versions exposed the HTTP API on 9200 with no authentication. Modern versions bind to localhost and enable security by default, but many legacy clusters remain open.

Common attacks

  • Unauthenticated REST access to read, dump, or delete all indices
  • Ransom attacks that wipe indices and leave a payment note
  • Information disclosure of cluster, index, and document data
  • Abuse of scripting/management APIs and version-specific RCE bugs

Hardening

  • Bind to localhost or a private interface (network.host); never expose 9200 to the internet
  • Enable the security features (authentication and RBAC)
  • Require TLS for HTTP and transport traffic
  • Firewall to trusted hosts and put a reverse proxy in front if remote access is needed
  • Keep Elasticsearch patched and audit access

nmap snippet

nmap -p9200 --script http-elasticsearch-head <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 9200?

Port 9200 is the default for the Elasticsearch HTTP/REST API, the interface used to index, search, and manage data in an Elasticsearch cluster. Applications and tools send JSON requests to 9200 to query documents and administer indices; the separate transport protocol for node-to-node traffic uses 9300.

Why it matters for security

Elasticsearch frequently stores logs, search data, and personal information, all reachable through a simple REST API. Older versions shipped without authentication, so anyone who could reach 9200 could read, dump, or delete every index with basic HTTP calls. This made open Elasticsearch one of the most common sources of large data breaches and ransom incidents.

How it's attacked

Attackers scan for open 9200 and issue unauthenticated REST calls to enumerate and dump all indices, exfiltrating sensitive data. They then frequently delete the indices and leave a ransom note. Management and scripting APIs, plus version-specific bugs, have also been abused for further compromise including remote code execution.

Hardening checklist

Bind Elasticsearch to localhost or a private interface via network.host and keep 9200 off the public internet, behind a firewall or VPN. Enable the built-in security features (authentication and RBAC), require TLS for HTTP and transport traffic, and place a reverse proxy in front if remote access is required. Patch regularly and audit access. Use the nmap snippet above to detect exposed clusters on hosts you are authorized to test.

Related ports

Port 27017Port 6379Port 11211Port 3306

Frequently asked questions

Is it safe to expose Elasticsearch on port 9200?
No. Open Elasticsearch clusters caused numerous large data breaches and ransom waves. Bind to localhost or a private network, enable security/authentication, require TLS, and firewall the port.
Why do exposed Elasticsearch clusters get ransomed?
With no authentication, anyone reaching the HTTP API can dump and delete every index via simple REST calls, then leave a ransom note demanding payment to restore the data.