It was never meant to be wide open to the internet.
Yet visibility data shows tens of thousands of services responding on port 9200 across the 27 EU member states.
This is not a vulnerability scan. It is a snapshot of what is publicly reachable.
Methodology
Scope: 27 European Union member states
AT, BE, BG, HR, CY, CZ, DK, EE, FI, FR, DE, GR, HU, IE, IT, LV, LT, LU, MT, NL, PL, PT, RO, SK, SI, ES, SE
Query focus:
- Services responding on port 9200, typically associated with Elasticsearch.
Important context:
- Not every service on port 9200 is Elasticsearch
- Some are proxies, dashboards, honeypots, or unrelated HTTP services
- Fingerprinting is based on Shodan visibility
Total Port 9200 Exposure in the EU
Total services responding on port 9200: 42,314
| Country | Instances |
|---|---|
| Germany (DE) | 13,459 |
| Netherlands (NL) | 7,921 |
| France (FR) | 7,838 |
| Spain (ES) | 1,955 |
| Italy (IT) | 1,659 |
| Poland (PL) | 1,560 |
| Finland (FI) | 1,542 |
| Sweden (SE) | 1,466 |
| Czechia (CZ) | 1,153 |
| Ireland (IE) | 574 |
| Romania (RO) | 521 |
| Portugal (PT) | 477 |
| Belgium (BE) | 362 |
| Austria (AT) | 351 |
| Hungary (HU) | 304 |
| Bulgaria (BG) | 192 |
| Greece (GR) | 174 |
| Denmark (DK) | 161 |
| Latvia (LV) | 116 |
| Cyprus (CY) | 95 |
| Lithuania (LT) | 94 |
| Croatia (HR) | 76 |
| Slovenia (SI) | 75 |
| Slovakia (SK) | 72 |
| Estonia (EE) | 66 |
| Luxembourg (LU) | 32 |
| Malta (MT) | 19 |
What Is Actually Running on Port 9200?
| Product | Instances |
|---|---|
| nginx | 8,613 |
| Elastic | 3,683 |
| Prometheus Node Exporter | 557 |
| Elastichoney | 534 |
| Hikvision IP Camera | 166 |
| Microsoft IIS httpd | 133 |
| Jetty | 97 |
| Plex Media Server | 85 |
| Home Assistant | 61 |
Why Elasticsearch Exposure Matters
Historically, exposed Elasticsearch clusters have led to massive data leaks, log disclosure, and ransomware campaigns that wipe indices.
Elasticsearch Hardening Checklist
1. Network Isolation
- Place Elasticsearch in a private subnet
- Restrict access to internal services only
- Access via VPN or bastion host only
- Block public port 9200 entirely
2. Enable Authentication
- Enable xpack security
- Require authentication for all API calls
- Disable anonymous access
3. Enforce TLS Everywhere
- Enable HTTPS and use valid certificates
- Disable plaintext HTTP access
- Encrypt inter-node communication
4. Restrict Dangerous APIs
- Restrict index deletion permissions
- Disable scripting if not required
- Limit snapshot repository access
5. Monitoring and Alerting
- Monitor for failed authentication attempts
- Alert on index deletions or snapshot creations
- Watch for unusual query spikes
Part of the EU Exposure Series
Explore our other research on protocol exposure across the 27 EU member states:
MongoDB Exposure Across the EU: A Snapshot from Shodan Data
Redis Exposure Across the EU: A Snapshot from Shodan Data
Elasticsearch Exposure Across the EU: A Snapshot from Shodan Data
MSSQL Exposure Across the EU: Port 1433 Internet Visibility Snapshot
MySQL Exposure on the Internet: A Global Snapshot from Shodan Data
PostgreSQL Exposure Across the EU: A Snapshot from Shodan Data
RDP Exposure Across the EU: A Snapshot from Shodan Data
VNC Exposure Across the EU: Remote Desktop Risk on the Public Internet
rsync Exposure Across the EU: Backup and File Sync Services on the Public Internet
SMB Exposure Across the EU: A Service That Should Never Be Public
Telnet Exposure Across the EU: A Legacy Protocol That Refuses to Die
FTP Exposure Across the EU: A Snapshot from Shodan Data
Kibana Exposure Across the EU: A Snapshot from Shodan Data
Docker API Exposure Across the EU: Port 2375 on the Public Internet
Port 502 (Modbus) Exposure Across the EU: Industrial Control Protocol on the Public Internet