elasticsearch如何安全加固?
elasticsearch2.4.6安全加固安全从来不是等到出事才要注意的事情,可以说安全是第一重要的事情。技术总监、运维总监、架构师还是一线工程师,都应该有安全意识。
Elasticsearch 的用户现在越来越多,有些更加已经成为公司的基础服务,所以数据的安全更为重要。
资源下载:http://down.运维网.com/data/2446746
http://i2.运维网.com/images/blog/201805/08/7e44f018af0ffe92cb029bac6732ed28.png
1.基础环境
1.1基础环境说明
系统:CentOS7.3
Elasticsearch:2.4.6
192.168.2.142主节点
192.168.2.144节点
1.2安装Elasticsearch
下载资源然后解压安装到/usr/share/elasticsearch
# cd /opt/
# unzip elasticsearch-2.4.6.zip
Archive:elasticsearch-2.4.6.zip
inflating: elasticsearch-2.4.6.rpm
# rpm -ivh elasticsearch-2.4.6.rpm
rpm -vih elasticsearch-2.4.6.rpm
warning: elasticsearch-2.4.6.rpm: Header V4 RSA/SHA1 Signature, key ID d88e42b4: NOKEY
Preparing... #################################
Creating elasticsearch group... OK
Updating / installing...
1:elasticsearch-2.4.6-1 #################################
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
### You can start elasticsearch service by executing
sudo systemctl start elasticsearch.service
目录:/usr/share/elasticsearch
2.安装安全插件
2.1安装编译插件
插件已经编译安装完成,直接解压上传即可
# mkdir -p /usr/share/elasticsearch/config/
# cd /usr/share/elasticsearch/plugins
# unzip plugins.zip
#解压后要删除
# rm -rf plugins.zip
#修改配置文件访问
# vim /etc/elasticsearch/elasticsearch.yml
network.host: 0.0.0.0
#保存退出
http://i2.运维网.com/images/blog/201805/08/6ab62fc7480b6983fea83013b2156fa8.png
http://i2.运维网.com/images/blog/201805/08/3bbd324efe25fadf1c2e10dc23aeeb86.png
2.2基础包安装
#yum install -y gcc gcc+ zlib*
#yum install openssl-devel
2.3安装工具包
下载源码包:http://down.运维网.com/6228054
# cd /usr/share/elasticsearch
# unzip search-guard-ssl-2.4.6.zip
2.4修改默认配置
# cd /usr/share/elasticsearch/search-guard-ssl-2.4.6/example-pki-scripts/
修改vim example.sh
#!/bin/bash
set -e
./clean.sh
./gen_root_ca.sh elastic elastic
./gen_node_cert.sh 1 elastic elastic
./gen_node_cert.sh 2 elastic elastic
./gen_node_cert.sh 3 elastic elastic
./gen_client_node_cert.sh admin elastic elastic
#保存并退出
# chmod 777 *.sh
# sh example.sh
#参数说明:
./gen_root_ca.sh elastic elastic
第一个参数为CA_PASS,即CA密码(根证书密码)
第二个参数为TS_PASS,即TS密码(truststore,信任证书密码)
./gen_node_cert.sh 1 elastic elastic
第一个参数为node编号,生成证书后的文件名为node-1*
第二个参数为KS_PASS(keystore文件密码)
第三个参数为CA_PASS
./gen_client_node_cert.sh admin elastic elastic
第一个参数为客户端节点名称,生成证书后的文件名为admin*
第二个参数为KS_PASS
第三个参数为CA_PASS
#有几个节点就添加几个./gen_node_cert.sh
sh example.sh
Generating a 2048 bit RSA private key
....................................................................+++
........................................+++
writing new private key to 'ca/root-ca/private/root-ca.key'
-----
Using configuration from etc/root-ca.conf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: May8 02:20:51 2018 GMT
Not After : May7 02:20:51 2028 GMT
Subject:
domainComponent = com
domainComponent = example
organizationName = Example Com Inc.
organizationalUnitName = Example Com Inc. Root CA
commonName = Example Com Inc. Root CA
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
15:D5:36:15:B1:9C:CF:26:3B:58:E1:C0:F5:DA:41:58:45:A4:55:9A
X509v3 Authority Key Identifier:
keyid:15:D5:36:15:B1:9C:CF:26:3B:58:E1:C0:F5:DA:41:58:45:A4:55:9A
Certificate is to be certified until May7 02:20:51 2028 GMT (3652 days)
Write out database with 1 new entries
Data Base Updated
Root CA generated
Generating a 2048 bit RSA private key
........................+++
.......+++
writing new private key to 'ca/signing-ca/private/signing-ca.key'
-----
Using configuration from etc/root-ca.conf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: May8 02:20:51 2018 GMT
Not After : May7 02:20:51 2028 GMT
Subject:
domainComponent = com
domainComponent = example
organizationName = Example Com Inc.
organizationalUnitName = Example Com Inc. Signing CA
commonName = Example Com Inc. Signing CA
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Subject Key Identifier:
9F:10:46:5C:96:22:76:FB:4A:97:E3:D2:03:D4:E5:6B:52:24:93:E1
X509v3 Authority Key Identifier:
keyid:15:D5:36:15:B1:9C:CF:26:3B:58:E1:C0:F5:DA:41:58:45:A4:55:9A
Certificate is to be certified until May7 02:20:51 2028 GMT (3652 days)
Write out database with 1 new entries
Data Base Updated
Import back to keystore (including CA chain)
Certificate reply was installed in keystore
Entry for alias admin successfully imported.
Import command completed:1 entries successfully imported, 0 entries failed or cancelled
MAC verified OK
MAC verified OK
MAC verified OK
All done for admin
http://i2.运维网.com/images/blog/201805/08/a290e203eb4738dffd275dbb822fd61b.png
http://i2.运维网.com/images/blog/201805/08/51a0e1d82987d1ba738499f4ad409b31.png
2.5复制到config里面
#cd /usr/share/elasticsearch/search-guard-ssl-2.4.6/example-pki-scripts
#cp truststore.jks node-1-keystore.jks /usr/share/elasticsearch/config/
#cp truststore.jks admin-keystore.jks /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/
3.修改权限
3.1修改配置文件及权限
#cd /usr/share/elasticsearch
#chmod -R 777 ./plugins/search-guard-2/tools/sgadmin.sh
#cd plugins/search-guard-2/
#chmod -R 777 tools/
3.2添加hash值
# cd /usr/share/elasticsearch/plugins/search-guard-2/tools
# ./hash.sh-p vrv123456.
$2a$12$GKyqoWHek3T505HTwIBPceIwZxROvDQnjEQSds1k2hT4D8rBZqdke
# cd /usr/share/elasticsearch
vim plugins/search-guard-2/sgconfig/sg_internal_users.yml
将字符串复制到sg_internal_users.yml文件的对应用户密码位置,在密码下面记得写入原密码的提示,难保你那天忘记了。
elastic:
hash: $2a$12$GKyqoWHek3T505HTwIBPceIwZxROvDQnjEQSds1k2hT4D8rBZqdke
#password is: vrv123456.
http://i2.运维网.com/images/blog/201805/08/042dc772f1cb4ea7947e0a6c94e93073.png
3.3新建文件夹并赋予权限
# cd /usr/share/elasticsearch
# mkdir -p data
# mkdir -p logs
# chmod 777 * logs
# chmod 777 * data
3.4修改用户权限
# vim /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles_mapping.yml
#添加用户权限
sg_all_access:
users:
- admin
- adm
- elastic
http://i2.运维网.com/images/blog/201805/08/cf9228a26985741f2c3be1cae92eefdd.png
3.5修改配置文件elasticsearch.yml
记得把源文件保存
# cd /usr/share/elasticsearch/config
# vim elasticsearch.yml
node.name: node-1
node.master: true
#
path.data: /usr/share/elasticsearch/data
#
# Path to log files:
#
path.logs: /usr/share/elasticsearch/logs
#添加
#-------------------search guard config--------------------------
security.manager.enabled: false
searchguard.authcz.admin_dn: -"CN=admin, OU=client, O=client, L=Test, C=DE"
#-------------------search guard ssl----------------------------------------
#------------------------transport layer SSL------------------------------------
searchguard.ssl.transport.enabled: true
searchguard.ssl.transport.keystore_filepath: node-1-keystore.jks
searchguard.ssl.transport.keystore_password: elastic
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: elastic
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true #设置成true浏览器也无法访问,测试请改为false
searchguard.ssl.http.keystore_filepath: node-1-keystore.jks
searchguard.ssl.http.keystore_password: elastic
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.truststore_password: elastic
searchguard.allow_all_from_loopback: true
4.验证节点
4.1初始化安全
cd /usr/share/elasticsearch/
./plugins/search-guard-2/tools/sgadmin.sh\
-cd plugins/search-guard-2/sgconfig/ \
-ks config/node-1-keystore.jks \
-ts config/truststore.jks\
-kspass elastic \
-tspass elastic \
-cn elasticsearch \
-h 192.168.2.142 \
-nhnv
http://i2.运维网.com/images/blog/201805/08/66bd9746d8b772bd5e17caa6510eb2e3.png
4.2启动elastic
# su - elasticsearch
# cd /usr/share/elasticsearch/bin
# ./elasticsearch -d
4.3验证
http://192.168.2.142:9200/_plugin/kopf/#!/cluster
http://i2.运维网.com/images/blog/201805/08/ed13c3b886943b862b4414dcdbe106f6.png
输入用户名:elastic 密码:vrv123456.
http://i2.运维网.com/images/blog/201805/08/7c731955afb3911fc75c3f5c4d7bf82b.png
5.多节点验证
5.1 复制elastic程序到别的机器上
进入142服务器 把程序复制上传到144上
# cd /usr/share/
# scp -r elasticsearch/ root@192.168.2.144:/usr/share/
5.2复制文件到配置目录里
在144服务器上执行
# cd /usr/share/elasticsearch/search-guard-ssl-2.4.6/
# cd example-pki-scripts/
# chmod 777 *
# cp -rf node-2-keystore.jks truststore.jks /usr/share/elasticsearch/config/
cp: overwrite ‘/usr/share/elasticsearch/config/truststore.jks’?
5.3赋予文件权限
# cd /usr/share/elasticsearch/config
# chmod 777 *
5.4修改配置文件
# cd /usr/share/elasticsearch/config
# vim elasticsearch.yml
修改内容
node.name: node-2#节点
node.master: false
searchguard.ssl.transport.keystore_filepath: node-2-keystore.jks #节点keystore文件,每个节点都不一样
searchguard.ssl.http.keystore_filepath: node-2-keystore.jks
#其余文件不变
wq!
保存退出
5.5添加用户
# useradd elasticsearch
# cd /usr/share/elasticsearch/
# chown elasticsearch:elasticsearch plugins/
5.6删除date缓存文件
# cd /usr/share/elasticsearch/
# rm -rf data/*
5.6启动服务
# cd /usr/share/elasticsearch/bin
# su elasticsearch
$ ./elasticsearch -d
5.7验证
http://192.168.2.142:9200/_plugin/kopf/#!/cluster
http://i2.运维网.com/images/blog/201805/08/001dba03bdd5190af827e319c2488a7e.png
http://192.168.2.144:9200/_plugin/kopf/#!/cluster
http://i2.运维网.com/images/blog/201805/08/a21a5d98351ba9c6000cffb7938f8006.png
输入用户名:elastic 密码:vrv123456.
http://i2.运维网.com/images/blog/201805/08/6e71a233c27be9bf3efe50b9756dfebe.png
http://i2.运维网.com/images/blog/201805/08/18b76e8491fe19194922cf4ff5650ac1.png
6.安全加固
6.1 修改集群默认名字
vim /usr/share/elasticsearch/config/elasticsearch.yml
cluster.name: ceshi #集群名字修改
6.2 禁用批量删除
Elasticsearch 支持通过 _all(全部)和通配符(*)来批量删除索引。
设置: action.destructive_requires_name: true 来禁用它。
http://i2.运维网.com/images/blog/201805/08/0b16356cc0857b3d16f8d5e41ac6a83c.png
6.3 不要以root身份去运行
# cd /usr/share/elasticsearch/bin
# su elasticsearch
$ ./elasticsearch -d
记住一定不要以 root 身份来运行 Elasticsearch。另外,不要和其他的服务公用相同的用户,然后还要把用户的权限最小化。
6.4 开启防火墙
#!/bin/bash
yum install iptables-services
systemctl enable iptables.service
cat> /etc/sysconfig/iptables
页:
[1]