安全從來不是等到出事才要注意的事情,可以說安全是第一重要的事情。技術(shù)總監(jiān)、運(yùn)維總監(jiān)、架構(gòu)師還是一線工程師,都應(yīng)該有安全意識。
Elasticsearch 的用戶現(xiàn)在越來越多,有些更加已經(jīng)成為公司的基礎(chǔ)服務(wù),所以數(shù)據(jù)的安全更為重要。
資源下載:http://down.51cto.com/data/2446746
系統(tǒng):CentOS7.3
Elasticsearch:2.4.6
192.168.2.142 主節(jié)點
192.168.2.144 節(jié)點
下載資源然后解壓安裝到/usr/share/elasticsearch
# cd /opt/
# unzip elasticsearch-2.4.6.zip
Archive: elasticsearch-2.4.6.zip
inflating: elasticsearch-2.4.6.rpm
# rpm -ivh elasticsearch-2.4.6.rpm
rpm -vih elasticsearch-2.4.6.rpm
warning: elasticsearch-2.4.6.rpm: Header V4 RSA/SHA1 Signature, key ID d88e42b4: NOKEY
Preparing... ################################# [100%]
Creating elasticsearch group... OK
Updating / installing...
1:elasticsearch-2.4.6-1 ################################# [100%]
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
### You can start elasticsearch service by executing
sudo systemctl start elasticsearch.service
目錄:/usr/share/elasticsearch
插件已經(jīng)編譯安裝完成,直接解壓上傳即可
# mkdir -p /usr/share/elasticsearch/config/
# cd /usr/share/elasticsearch/plugins
# unzip plugins.zip
#解壓后要刪除
# rm -rf plugins.zip
#修改配置文件訪問
# vim /etc/elasticsearch/elasticsearch.yml
network.host: 0.0.0.0
#保存退出
#yum install -y gcc gcc+ zlib*
#yum install openssl-devel
下載源碼包:http://down.51cto.com/6228054
# cd /usr/share/elasticsearch
# unzip search-guard-ssl-2.4.6.zip
# cd /usr/share/elasticsearch/search-guard-ssl-2.4.6/example-pki-scripts/
修改vim example.sh
#!/bin/bash
set -e
./clean.sh
./gen_root_ca.sh elastic elastic
./gen_node_cert.sh 1 elastic elastic
./gen_node_cert.sh 2 elastic elastic
./gen_node_cert.sh 3 elastic elastic
./gen_client_node_cert.sh admin elastic elastic
#保存并退出
# chmod 777 *.sh
# sh example.sh
#參數(shù)說明:
./gen_root_ca.sh elastic elastic
第一個參數(shù)為CA_PASS,即CA密碼(根證書密碼)
第二個參數(shù)為TS_PASS,即TS密碼(truststore,信任證書密碼)
./gen_node_cert.sh 1 elastic elastic
第一個參數(shù)為node編號,生成證書后的文件名為node-1*
第二個參數(shù)為KS_PASS(keystore文件密碼)
第三個參數(shù)為CA_PASS
./gen_client_node_cert.sh admin elastic elastic
第一個參數(shù)為客戶端節(jié)點名稱,生成證書后的文件名為admin*
第二個參數(shù)為KS_PASS
第三個參數(shù)為CA_PASS
#有幾個節(jié)點就添加幾個./gen_node_cert.sh
sh example.sh
Generating a 2048 bit RSA private key
....................................................................+++
........................................+++
writing new private key to 'ca/root-ca/private/root-ca.key'
-----
Using configuration from etc/root-ca.conf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: May 8 02:20:51 2018 GMT
Not After : May 7 02:20:51 2028 GMT
Subject:
domainComponent = com
domainComponent = example
organizationName = Example Com Inc.
organizationalUnitName = Example Com Inc. Root CA
commonName = Example Com Inc. Root CA
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
15:D5:36:15:B1:9C:CF:26:3B:58:E1:C0:F5:DA:41:58:45:A4:55:9A
X509v3 Authority Key Identifier:
keyid:15:D5:36:15:B1:9C:CF:26:3B:58:E1:C0:F5:DA:41:58:45:A4:55:9A
Certificate is to be certified until May 7 02:20:51 2028 GMT (3652 days)
Write out database with 1 new entries
Data Base Updated
Root CA generated
Generating a 2048 bit RSA private key
........................+++
.......+++
writing new private key to 'ca/signing-ca/private/signing-ca.key'
-----
Using configuration from etc/root-ca.conf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: May 8 02:20:51 2018 GMT
Not After : May 7 02:20:51 2028 GMT
Subject:
domainComponent = com
domainComponent = example
organizationName = Example Com Inc.
organizationalUnitName = Example Com Inc. Signing CA
commonName = Example Com Inc. Signing CA
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Subject Key Identifier:
9F:10:46:5C:96:22:76:FB:4A:97:E3:D2:03:D4:E5:6B:52:24:93:E1
X509v3 Authority Key Identifier:
keyid:15:D5:36:15:B1:9C:CF:26:3B:58:E1:C0:F5:DA:41:58:45:A4:55:9A
Certificate is to be certified until May 7 02:20:51 2028 GMT (3652 days)
Write out database with 1 new entries
Data Base Updated
Import back to keystore (including CA chain)
Certificate reply was installed in keystore
Entry for alias admin successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
MAC verified OK
MAC verified OK
MAC verified OK
All done for admin
#cd /usr/share/elasticsearch/search-guard-ssl-2.4.6/example-pki-scripts
#cp truststore.jks node-1-keystore.jks /usr/share/elasticsearch/config/
#cp truststore.jks admin-keystore.jks /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/
#cd /usr/share/elasticsearch
#chmod -R 777 ./plugins/search-guard-2/tools/sgadmin.sh
#cd plugins/search-guard-2/
#chmod -R 777 tools/
# cd /usr/share/elasticsearch/plugins/search-guard-2/tools
# ./hash.sh -p vrv123456.
$2a$12$GKyqoWHek3T505HTwIBPceIwZxROvDQnjEQSds1k2hT4D8rBZqdke
# cd /usr/share/elasticsearch
vim plugins/search-guard-2/sgconfig/sg_internal_users.yml
將字符串復(fù)制到sg_internal_users.yml文件的對應(yīng)用戶密碼位置,在密碼下面記得寫入原密碼的提示,難保你那天忘記了。
elastic:
hash: $2a$12$GKyqoWHek3T505HTwIBPceIwZxROvDQnjEQSds1k2hT4D8rBZqdke
#password is: vrv123456.
# cd /usr/share/elasticsearch
# mkdir -p data
# mkdir -p logs
# chmod 777 * logs
# chmod 777 * data
# vim /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles_mapping.yml
#添加用戶權(quán)限
sg_all_access:
users:
- admin
- adm
- elastic
記得把源文件保存
# cd /usr/share/elasticsearch/config
# vim elasticsearch.yml
node.name: node-1
node.master: true
#
path.data: /usr/share/elasticsearch/data
#
# Path to log files:
#
path.logs: /usr/share/elasticsearch/logs
#添加
#-------------------search guard config--------------------------
security.manager.enabled: false
searchguard.authcz.admin_dn: -"CN=admin, OU=client, O=client, L=Test, C=DE"
#-------------------search guard ssl----------------------------------------
#------------------------transport layer SSL------------------------------------
searchguard.ssl.transport.enabled: true
searchguard.ssl.transport.keystore_filepath: node-1-keystore.jks
searchguard.ssl.transport.keystore_password: elastic
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: elastic
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true #設(shè)置成true瀏覽器也無法訪問,測試請改為false
searchguard.ssl.http.keystore_filepath: node-1-keystore.jks
searchguard.ssl.http.keystore_password: elastic
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.truststore_password: elastic
searchguard.allow_all_from_loopback: true
cd /usr/share/elasticsearch/
./plugins/search-guard-2/tools/sgadmin.sh \
-cd plugins/search-guard-2/sgconfig/ \
-ks config/node-1-keystore.jks \
-ts config/truststore.jks \
-kspass elastic \
-tspass elastic \
-cn elasticsearch \
-h 192.168.2.142 \
-nhnv
# su - elasticsearch
# cd /usr/share/elasticsearch/bin
# ./elasticsearch -d
http://192.168.2.142:9200/_plugin/kopf/#!/cluster
輸入用戶名:elastic 密碼:vrv123456.
進(jìn)入142服務(wù)器 把程序復(fù)制上傳到144上
# cd /usr/share/
# scp -r elasticsearch/ root@192.168.2.144:/usr/share/
在144服務(wù)器上執(zhí)行
# cd /usr/share/elasticsearch/search-guard-ssl-2.4.6/
# cd example-pki-scripts/
# chmod 777 *
# cp -rf node-2-keystore.jks truststore.jks /usr/share/elasticsearch/config/
cp: overwrite ‘/usr/share/elasticsearch/config/truststore.jks’?
# cd /usr/share/elasticsearch/config
# chmod 777 *
# cd /usr/share/elasticsearch/config
# vim elasticsearch.yml
修改內(nèi)容
node.name: node-2 #節(jié)點
node.master: false
searchguard.ssl.transport.keystore_filepath: node-2-keystore.jks #節(jié)點keystore文件,每個節(jié)點都不一樣
searchguard.ssl.http.keystore_filepath: node-2-keystore.jks
#其余文件不變
wq!
保存退出
# useradd elasticsearch
# cd /usr/share/elasticsearch/
# chown elasticsearch:elasticsearch plugins/
# cd /usr/share/elasticsearch/
# rm -rf data/*
# cd /usr/share/elasticsearch/bin
# su elasticsearch
$ ./elasticsearch -d
http://192.168.2.142:9200/_plugin/kopf/#!/cluster
http://192.168.2.144:9200/_plugin/kopf/#!/cluster
輸入用戶名:elastic 密碼:vrv123456.
vim /usr/share/elasticsearch/config/elasticsearch.yml
cluster.name: ceshi #集群名字修改
Elasticsearch 支持通過 _all(全部)和通配符(*)來批量刪除索引。
設(shè)置: action.destructive_requires_name: true 來禁用它。
# cd /usr/share/elasticsearch/bin
# su elasticsearch
$ ./elasticsearch -d
記住一定不要以 root 身份來運(yùn)行 Elasticsearch。另外,不要和其他的服務(wù)公用相同的用戶,然后還要把用戶的權(quán)限最小化。
#!/bin/bash
yum install iptables-services
systemctl enable iptables.service
cat> /etc/sysconfig/iptables<
1.首先,請開啟防火墻,并設(shè)置防火墻規(guī)則為只開啟必備的端口。完成之后,使用掃描工具掃描服務(wù)器,檢查端口開發(fā)情況。
2.如果可能,不要用密碼的方法來遠(yuǎn)程登錄服務(wù)器,盡可能使用公私鑰的方式來 SSH 登錄服務(wù)器。如果只能使用密碼,請妥善保管好你的用戶名和密碼,禁用 root 用戶,不用使用弱密碼。
3.關(guān)注 Java 最新的漏洞,使用安全的 JVM 運(yùn)行。
4.注意服務(wù)器及時更新最新的軟件,使用安全的 repo 軟件源。綁定軟件源的 HOST 和 IP,避免 DNS 污染造成的,關(guān)注服務(wù)器軟件漏洞,及時打上補(bǔ)丁。
5.收集系統(tǒng)日志和安裝相應(yīng)的檢測軟件,及時發(fā)現(xiàn)服務(wù)器是否有異常行為。
http://www.elastic.co/cn/blog/reinforce-the-security-of-elasticsearch-101
實戰(zhàn)到此結(jié)束。后續(xù)再更新knox安全配置實戰(zhàn)。
另外有需要云服務(wù)器可以了解下創(chuàng)新互聯(lián)scvps.cn,海內(nèi)外云服務(wù)器15元起步,三天無理由+7*72小時售后在線,公司持有idc許可證,提供“云服務(wù)器、裸金屬服務(wù)器、高防服務(wù)器、香港服務(wù)器、美國服務(wù)器、虛擬主機(jī)、免備案服務(wù)器”等云主機(jī)租用服務(wù)以及企業(yè)上云的綜合解決方案,具有“安全穩(wěn)定、簡單易用、服務(wù)可用性高、性價比高”等特點與優(yōu)勢,專為企業(yè)上云打造定制,能夠滿足用戶豐富、多元化的應(yīng)用場景需求。