diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4f7ffaf8..a7b7d2b7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,7 @@ The **patch** part changes incrementally at each release.
 ### Added
 
 ### Changed
+* elasticsearch: listen on local interface only by default
 
 ### Fixed
 * lxc-php: Don't remove the default pool
diff --git a/elasticsearch/README.md b/elasticsearch/README.md
index e8184019..933beb0f 100644
--- a/elasticsearch/README.md
+++ b/elasticsearch/README.md
@@ -27,7 +27,7 @@ Tasks are extracted in several files, included in `tasks/main.yml` :
 * `elasticsearch_jvm_xmx`: maximum heap size reserved for the JVM (default: `2g`).
 * `elasticsearch_restart_on_upgrade`: restart the service after package upgrade (default: `true`)
 
-By default, Elasticsearch will listen to the public interfaces (`_site_` cf. https://www.elastic.co/guide/en/elasticsearch/reference/5.0/important-settings.html#network.host), so you will have to secure it, with firewall rules for example.
+By default, Elasticsearch will listen to the local interface (`_local_` cf. https://www.elastic.co/guide/en/elasticsearch/reference/5.0/important-settings.html#network.host).
 
 ## Curator
 
diff --git a/elasticsearch/defaults/main.yml b/elasticsearch/defaults/main.yml
index f5693bf2..91e81915 100644
--- a/elasticsearch/defaults/main.yml
+++ b/elasticsearch/defaults/main.yml
@@ -5,7 +5,7 @@ elasticsearch_cluster_name: Null
 elasticsearch_cluster_members: Null
 elasticsearch_minimum_master_nodes: Null
 elasticsearch_node_name: "${HOSTNAME}"
-elasticsearch_network_host: "[_site_, _local_]"
+elasticsearch_network_host: "[_local_]"
 elasticsearch_network_publish_host: Null
 elasticsearch_http_publish_host: Null
 elasticsearch_custom_datadir: Null