ProHoster > Pūnaewele > Nā Administration > Pehea e hoʻonohonoho ai iā Elasticsearch e pale aku i nā leaks

Pehea e hoʻonohonoho ai iā Elasticsearch e pale aku i nā leaks

I ka makahiki i hala aku nei, ua nui nā leaks mai nā waihona Elasticsearch (aia hoʻi, aia hoʻi и aia hoʻi). I nā manawa he nui, mālama ʻia ka ʻikepili pilikino i ka waihona. Ua hiki ke pale ʻia kēia mau leaks inā, ma hope o ka waiho ʻana i ka waihona, ua pilikia nā luna hoʻomalu e nānā i kekahi mau hoʻonohonoho maʻalahi. I kēia lā e kamaʻilio mākou e pili ana iā lākou.

E hoʻopaʻa koke mākou i kā mākou hoʻomaʻamaʻa e hoʻohana mākou i ka Elasticsearch e mālama i nā lāʻau a me ka nānā ʻana i nā lāʻau o nā mea hana palekana ʻike, OS a me nā lako polokalamu i kā mākou platform IaaS, e hoʻokō nei i nā koi o 152-FZ, Cloud-152. 

Pehea e hoʻonohonoho ai iā Elasticsearch e pale aku i nā leaks

Nānā mākou inā "pili" ka waihona i ka Pūnaewele

I ka nui o na hihia i ikeia o ka leaks (aia hoʻi, aia hoʻi) ua loaʻa i ka mea hoʻouka i ka ʻikepili maʻalahi a me ka ʻole: ua paʻi ʻia ka waihona ma ka Pūnaewele, a ua hiki ke hoʻopili iā ia me ka ʻole o ka hōʻoia.  

ʻO ka mea mua, e hana kākou i ka paʻi ʻana ma ka Pūnaewele. No ke aha la keia? ʻO ka ʻoiaʻiʻo no ka hana maʻalahi o Elasticsearch ua konoia hana i kahi hui o ʻekolu mau kikowaena. I mea e kamaʻilio ai nā ʻikepili me kekahi, pono ʻoe e wehe i nā awa. ʻO ka hopena, ʻaʻole kaupalena nā luna hoʻomalu i ke komo ʻana i ka waihona ma kekahi ʻano, a hiki iā ʻoe ke hoʻohui i ka waihona mai nā wahi āpau. He mea maʻalahi ke nānā inā hiki ke loaʻa ka waihona mai waho. E komo wale i ka polokalamu kele pūnaewele http://[IP/Имя Elasticsearch]:9200/_cat/nodes?v

Inā hiki iā ʻoe ke komo i loko, a laila holo e pani.

Ka pale ʻana i ka pilina i ka waihona

I kēia manawa e hana mākou i mea hiki ʻole ke hoʻopili i ka waihona me ka ʻole o ka hōʻoia.

Loaʻa iā Elasticsearch kahi module hōʻoia e kaupalena ana i ke komo ʻana i ka waihona, akā loaʻa wale ia i ka hoʻonohonoho hoʻonohonoho X-Pack i uku ʻia (1 mahina hoʻohana manuahi).

ʻO ka nūhou maikaʻi ʻo ia i ka hāʻule o 2019, ua wehe ʻo Amazon i kāna mau hoʻomohala ʻana, e uhi ana me X-Pack. Ua loaʻa ka hana hōʻoia i ka wā e hoʻopili ai i kahi waihona ma lalo o kahi laikini manuahi no ka mana Elasticsearch 7.3.2, a ua hoʻokuʻu hou ʻia no Elasticsearch 7.4.0 i nā hana.

He mea maʻalahi kēia plugin e hoʻokomo. E hele i ka console server a hoʻohui i ka waihona:

RPM ma muli o:

curl https://d3g5vo6xdbdb9a.cloudfront.net/yum/opendistroforelasticsearch-artifacts.repo -o /etc/yum.repos.d/opendistroforelasticsearch-artifacts.repo

yum update

yum install opendistro-security


Ma muli o DEB:

wget -qO ‐ https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch | sudo apt-key add -

Hoʻonohonoho i ka pilina ma waena o nā kikowaena ma o SSL

I ka hoʻouka ʻana i ka plugin, hoʻololi ka hoʻonohonoho o ke awa e pili ana i ka waihona. Hiki iā ia ke hoʻopili SSL. I mea e hoʻomau ai ka hana ʻana o nā kikowaena cluster me kekahi i kekahi, pono ʻoe e hoʻonohonoho i ka pilina ma waena o lākou me ka hoʻohana ʻana i SSL.

Hiki ke hoʻokumu ʻia ka hilinaʻi ma waena o nā pūʻali me ka ʻole o kāna mana palapala ponoʻī. Me ke ala mua, maopopo nā mea āpau: pono ʻoe e hoʻopili i nā loea CA. E neʻe pololei kākou i ka lua.

  1. E hana i mea hoololi me ka inoa puni honua: 

    export DOMAIN_CN="example.com"

  2. E hana i kahi kī pilikino: 

    openssl genrsa -out root-ca-key.pem 4096

  3. E kakau inoa i ka palapala kumu. E mālama pono: inā nalowale a hoʻololi ʻia paha, pono e hoʻoponopono hou ʻia ka hilinaʻi ma waena o nā pūʻali āpau. 

    openssl req -new -x509 -sha256 -subj "/C=RU/ST=Moscow/O=Moscow, Inc./CN=${DOMAIN_CN}" 
-key root-ca-key.pem -out root-ca.pem

  4. E hana i kahi kī hoʻoponopono: 

    openssl genrsa -out admin-key-temp.pem 4096
openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt 
-v1 PBE-SHA1-3DES -out admin-key.pem

  5. E hana i kahi noi e kau inoa i ka palapala hōʻoia: 

    openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${DOMAIN_CN}/CN=admin " 
-key admin-key.pem -out admin.csr

  6. Hana i palapala hoʻoponopono: 

    openssl x509 -req -extensions usr_cert -in admin.csr -CA root-ca.pem 
-CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem

  7. E hana i nā palapala hōʻoia no ka node Elasticsearch: 

    export NODENAME="node-01"
openssl genrsa -out ${NODENAME}-key-temp.pem 4096
openssl pkcs8 -inform PEM -outform PEM -in ${NODENAME}-key-temp.pem -topk8 -nocrypt 
-v1 PBE-SHA1-3DES -out ${NODENAME}-key.pem

  8. Hana i kahi noi pūlima: 

    openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${NODENAME}.${DOMAIN_CN}"  
-addext"subjectAltName=DNS:${NODENAME}.${DOMAIN_CN},DNS:www.${NODENAME}.${DOMAIN_CN}" 
-key ${NODENAME}-key.pem -out ${NODENAME}.csr

  9. Kau inoa i ka palapala hōʻoia: 

    openssl x509 -req -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial 
-sha256 -out node.pem

  10. E kau i ka palapala hōʻoia ma waena o nā node Elasticsearch i loko o ka waihona: 

    /etc/elasticsearch/


    pono mākou i nā faila:

            node-01-key.pem
	node-01.pem
	admin-key.pem
	admin.pem
	root-ca.pem

  11. Ke hoʻonohonoho nei /etc/elasticsearch/elasticsearch.yml - hoʻololi i ka inoa o nā faila me nā palapala hōʻoia i nā mea i hana ʻia e mākou: 

    opendistro_security.ssl.transport.pemcert_filepath: node-01.pem                                                                                                                                                                                    
	opendistro_security.ssl.transport.pemkey_filepath: node-01-key.pem                                                                                                                                                                                 
	opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem                                                                                                                                                                              
	opendistro_security.ssl.transport.enforce_hostname_verification: false                                                                                                                                                                             
	opendistro_security.ssl.http.enabled: true                                                                                                                                                                                                         
	opendistro_security.ssl.http.pemcert_filepath: node-01.pem                                                                                                                                                                                         
	opendistro_security.ssl.http.pemkey_filepath: node-01-key.pem                                                                                                                                                                                      
	opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem                                                                                                                                                                                   
	opendistro_security.allow_unsafe_democertificates: false                                                                                                                                                                                           
	opendistro_security.allow_default_init_securityindex: true                                                                                                                                                                                         
	opendistro_security.authcz.admin_dn:                                                                                                                                                                                                               
	  − CN=admin,CN=example.com,O=Moscow Inc.,ST=Moscow,C=RU                                                                                                                                                                                                  
	opendistro_security.nodes_dn:                                                                                                                                                                                                                      
	  − CN=node-01.example.com,O=Moscow Inc.,ST=Moscow,C=RU

Ke hoʻololi nei i nā ʻōlelo huna no nā mea hoʻohana kūloko

  1. Ke hoʻohana nei i ke kauoha ma lalo nei, hoʻopuka mākou i ka hash password i ka console: 

    sh ${OD_SEC}/tools/hash.sh -p [пароль]

  2. E hoʻololi i ka hash i ka faila i ka mea i loaʻa: 

    /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml

Hoʻonohonoho i kahi pā ahi ma ka OS

  1. E ʻae i ka pā ahi e hoʻomaka: 

    systemctl enable firewalld

  2. E hoʻomaka kākou: 

    systemctl start firewalld

  3. E ʻae i ka pilina iā Elasticsearch: 

    firewall-cmd --set-default-zone work
firewall-cmd --zone=work --add-port=9200/TCP --permanent

  4. Hoʻouka hou i nā lula pā ahi: 

    firewall-cmd --reload

  5. Eia nā lula hana. 

    firewall-cmd --list-all

Ke noi nei i kā mākou hoʻololi āpau iā Elasticsearch

  1. E hana i kahi loli me ke ala piha i ka waihona me ka plugin: 

    export  OD_SEC="/usr/share/elasticsearch/plugins/opendistro_security/"

  2. E holo kāua i kahi palapala e hoʻohou i nā ʻōlelo huna a nānā i nā hoʻonohonoho: 

    ${OD_SEC}/tools/securityadmin.sh -cd ${OD_SEC}/securityconfig/ 
-icl -nhnv -cacert /etc/elasticsearch/root-ca.pem 
-cert /etc/elasticsearch/admin.pem  
-key /etc/elasticsearch/admin-key.pem

  3. E nānā inā ua hoʻohana ʻia nā hoʻololi: 

    curl -XGET https://[IP/Имя Elasticsearch]:9200/_cat/nodes?v -u admin:[пароль] --insecure

ʻO ia wale nō, ʻo ia ka palena liʻiliʻi e pale ai iā Elasticsearch mai nā pilina ʻae ʻole.

Source: www.habr.com

Pākuʻi i ka manaʻo hoʻopuka