A cikin shekarar da ta gabata, an sami yaɗuwa da yawa daga rumbun adana bayanai (, и ). A yawancin lokuta, an adana bayanan sirri a cikin ma'ajin bayanai. Ana iya guje wa waɗannan leken asirin idan, bayan tura ma'ajin bayanai, masu gudanar da aikin sun damu don duba wasu ƙananan saitunan. A yau za mu yi magana game da su.
Bari mu yi ajiyar wuri nan da nan cewa a cikin aikinmu muna amfani da Elasticsearch don adana rajistan ayyukan da bincika rajistan ayyukan tsaro na bayanai, OS da software a cikin dandalinmu na IaaS, wanda ya dace da buƙatun 152-FZ, Cloud-152.
Muna bincika ko bayanan “yana manne” akan Intanet
A mafi yawan sanannun lokuta na leaks (, ) maharin ya sami damar yin amfani da bayanan a sauƙaƙe kuma ba tare da fa'ida ba: an buga bayanan bayanan akan Intanet, kuma yana yiwuwa a haɗa su ba tare da tantancewa ba.
Da farko, bari mu magance bugu a Intanet. Me yasa hakan ke faruwa? Gaskiyar ita ce don ƙarin aiki mai sauƙi na Elasticsearch ƙirƙirar gungu na sabobin uku. Domin ma'ajin bayanai don sadarwa da juna, kuna buƙatar buɗe tashoshin jiragen ruwa. A sakamakon haka, masu gudanarwa ba su hana damar shiga bayanan ta kowace hanya, kuma kuna iya haɗawa da bayanan daga ko'ina. Yana da sauƙi don bincika ko ana samun damar adana bayanai daga waje. Kawai shigar a cikin browser http://[IP/Имя Elasticsearch]:9200/_cat/nodes?v
Idan za ku iya shiga, to ku gudu don rufe shi.
Kare haɗin kai zuwa bayanan bayanai
Yanzu za mu sanya shi ta yadda ba zai yiwu a haɗa da database ba tare da tabbaci ba.
Elasticsearch yana da tsarin tantancewa wanda ke iyakance isa ga bayanai, amma ana samunsa ne kawai a cikin saitin kayan aikin X-Pack da aka biya (amfani da kyauta na wata 1).
Labari mai dadi shine cewa a cikin faɗuwar 2019, Amazon ya buɗe ci gabanta, wanda ya mamaye X-Pack. Ayyukan tabbatarwa lokacin haɗawa zuwa bayanan bayanai ya zama samuwa a ƙarƙashin lasisin kyauta don sigar Elasticsearch 7.3.2, kuma sabon saki don Elasticsearch 7.4.0 ya rigaya yana kan ayyukan.
Wannan plugin ɗin yana da sauƙin shigarwa. Jeka uwar garken console kuma haɗa ma'ajiyar:
RPM Bisa:
curl https://d3g5vo6xdbdb9a.cloudfront.net/yum/opendistroforelasticsearch-artifacts.repo -o /etc/yum.repos.d/opendistroforelasticsearch-artifacts.repo
yum update
yum install opendistro-security
DEB bisa:
wget -qO ‐ https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch | sudo apt-key add -
Saita hulɗa tsakanin sabobin ta hanyar SSL
Lokacin shigar da plugin ɗin, saitin tashar tashar jiragen ruwa mai haɗawa da bayanan bayanai yana canzawa. Yana ba da damar ɓoye bayanan SSL. Domin uwar garken tari su ci gaba da aiki tare da juna, kuna buƙatar saita hulɗar tsakanin su ta amfani da SSL.
Ana iya kafa amana tsakanin runduna tare da ko ba tare da ikonta na takaddun shaida ba. Tare da hanyar farko, komai ya bayyana: kawai kuna buƙatar tuntuɓar ƙwararrun CA. Mu matsa kai tsaye zuwa na biyu.
- Ƙirƙiri m tare da cikakken sunan yanki:
export DOMAIN_CN="example.com" - Ƙirƙiri maɓalli na sirri:
openssl genrsa -out root-ca-key.pem 4096 - Shiga tushen takardar shaidar. Ajiye shi: idan ya ɓace ko ya lalace, amincewar da ke tsakanin duk runduna za ta buƙaci a sake saita ta.
openssl req -new -x509 -sha256 -subj "/C=RU/ST=Moscow/O=Moscow, Inc./CN=${DOMAIN_CN}" -key root-ca-key.pem -out root-ca.pem - Ƙirƙiri maɓallin gudanarwa:
openssl genrsa -out admin-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem - Ƙirƙiri buƙatun sanya hannu kan takaddun shaida:
openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${DOMAIN_CN}/CN=admin " -key admin-key.pem -out admin.csr - Ƙirƙiri takardar shaidar gudanarwa:
openssl x509 -req -extensions usr_cert -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem - Ƙirƙiri takaddun shaida don kumburin Elasticsearch:
export NODENAME="node-01" openssl genrsa -out ${NODENAME}-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in ${NODENAME}-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out ${NODENAME}-key.pem - Ƙirƙiri buƙatun sa hannu:
openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${NODENAME}.${DOMAIN_CN}" -addext"subjectAltName=DNS:${NODENAME}.${DOMAIN_CN},DNS:www.${NODENAME}.${DOMAIN_CN}" -key ${NODENAME}-key.pem -out ${NODENAME}.csr - Sa hannun takardar shaida:
openssl x509 -req -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem - Sanya takaddun shaida tsakanin nodes na Elasticsearch a cikin babban fayil mai zuwa:
/etc/elasticsearch/
muna buƙatar fayilolin:node-01-key.pem node-01.pem admin-key.pem admin.pem root-ca.pem - Harhadawa /etc/elasticsearch/elasticsearch.yml - canza sunan fayilolin tare da takaddun shaida zuwa waɗanda mu suka ƙirƙira:
opendistro_security.ssl.transport.pemcert_filepath: node-01.pem opendistro_security.ssl.transport.pemkey_filepath: node-01-key.pem opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem opendistro_security.ssl.transport.enforce_hostname_verification: false opendistro_security.ssl.http.enabled: true opendistro_security.ssl.http.pemcert_filepath: node-01.pem opendistro_security.ssl.http.pemkey_filepath: node-01-key.pem opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem opendistro_security.allow_unsafe_democertificates: false opendistro_security.allow_default_init_securityindex: true opendistro_security.authcz.admin_dn: − CN=admin,CN=example.com,O=Moscow Inc.,ST=Moscow,C=RU opendistro_security.nodes_dn: − CN=node-01.example.com,O=Moscow Inc.,ST=Moscow,C=RU
Canza kalmomin shiga don masu amfani na ciki
- Yin amfani da umarnin da ke ƙasa, muna fitar da hash ɗin kalmar sirri zuwa na'ura mai kwakwalwa:
sh ${OD_SEC}/tools/hash.sh -p [пароль] - Canja hash a cikin fayil ɗin zuwa wanda aka karɓa:
/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
Saita Firewall a cikin OS
- Ba da damar Firewall ya fara:
systemctl enable firewalld - Mu kaddamar da shi:
systemctl start firewalld - Bada haɗi zuwa Elasticsearch:
firewall-cmd --set-default-zone work firewall-cmd --zone=work --add-port=9200/TCP --permanent - Sake shigar da dokokin Tacewar zaɓi:
firewall-cmd --reload - Ga ka'idojin aiki:
firewall-cmd --list-all
Aiwatar da duk canje-canjen mu zuwa Elasticsearch
- Ƙirƙiri mai canzawa tare da cikakken hanyar zuwa babban fayil tare da plugin:
export OD_SEC="/usr/share/elasticsearch/plugins/opendistro_security/" - Bari mu gudanar da rubutun da zai sabunta kalmomin shiga da duba saitunan:
${OD_SEC}/tools/securityadmin.sh -cd ${OD_SEC}/securityconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/admin.pem -key /etc/elasticsearch/admin-key.pem - Bincika idan an yi amfani da canje-canje:
curl -XGET https://[IP/Имя Elasticsearch]:9200/_cat/nodes?v -u admin:[пароль] --insecure
Wannan ke nan, waɗannan su ne ƙananan saitunan da ke kare Elasticsearch daga haɗin kai mara izini.
source: www.habr.com