ProHoster > Π‘Π»ΠΎΠ³ > Kev tswj hwm > Elastic hauv qab xauv thiab qhov tseem ceeb: ua kom Elasticsearch pawg kev ruaj ntseg xaiv rau kev nkag los ntawm sab hauv thiab sab nraud

Elastic hauv qab xauv thiab qhov tseem ceeb: ua kom Elasticsearch pawg kev ruaj ntseg xaiv rau kev nkag los ntawm sab hauv thiab sab nraud

Elastic hauv qab xauv thiab qhov tseem ceeb: ua kom Elasticsearch pawg kev ruaj ntseg xaiv rau kev nkag los ntawm sab hauv thiab sab nraud

Elastic Stack yog cov cuab yeej paub zoo hauv SIEM kev lag luam (qhov tseeb, tsis yog lawv xwb). Nws tuaj yeem sau ntau cov ntaub ntawv sib txawv, ob qho tib si rhiab thiab tsis rhiab heev. Nws tsis yog lawm yog tias nkag mus rau Elastic Stack ntsiab lawv tus kheej tsis muaj kev tiv thaiv. Los ntawm lub neej ntawd, tag nrho cov Elastic tawm ntawm lub thawv (Elasticsearch, Logstash, Kibana, thiab Beats collectors) khiav ntawm cov txheej txheem qhib. Thiab nyob rau hauv Kibana nws tus kheej, authentication yog neeg xiam. Tag nrho cov kev sib cuam tshuam no tuaj yeem ruaj ntseg thiab hauv kab lus no peb yuav qhia koj yuav ua li cas. Txhawm rau kom yooj yim, peb faib cov lus piav qhia rau hauv 3 lub ntsiab lus:

  • Lub luag haujlwm-raws li cov ntaub ntawv nkag tus qauv
  • Cov ntaub ntawv kev ruaj ntseg hauv ib pawg Elasticsearch
  • Kev ruaj ntseg cov ntaub ntawv sab nraud ntawm Elasticsearch pawg

Paub meej hauv qab txiav.

Lub luag haujlwm-raws li cov ntaub ntawv nkag tus qauv

Yog tias koj nruab Elasticsearch thiab tsis kho nws hauv txhua txoj kev, nkag mus rau txhua qhov ntsuas yuav qhib rau txhua tus. Zoo, los yog cov neeg uas tuaj yeem siv curl. Txhawm rau zam qhov no, Elasticsearch muaj lub luag haujlwm tus qauv uas muaj pib nrog kev tso npe nkag (uas yog pub dawb). Schematically nws zoo li ib yam dab tsi zoo li no:

Elastic hauv qab xauv thiab qhov tseem ceeb: ua kom Elasticsearch pawg kev ruaj ntseg xaiv rau kev nkag los ntawm sab hauv thiab sab nraud

Dab tsi hauv daim duab

  • Cov neeg siv yog txhua tus neeg tuaj yeem nkag mus siv lawv cov ntawv pov thawj.
  • Ib lub luag haujlwm yog ib txoj cai.
  • Txoj cai yog ib txheej ntawm cov cai.
  • Cov cai yog tso cai sau, nyeem, rho tawm, thiab lwm yam. (Cov npe tag nrho ntawm cov cai)
  • Cov peev txheej yog indexes, cov ntaub ntawv, teb, cov neeg siv, thiab lwm qhov chaw khaws cia (tus qauv rau qee qhov kev pabcuam tsuas yog muaj nrog cov nyiaj them poob haujlwm xwb).

Los ntawm lub neej ntawd Elasticsearch muaj cov neeg siv lub thawv, uas lawv txuas lub luag haujlwm ntawm lub thawv. Thaum koj qhib kev ruaj ntseg, koj tuaj yeem pib siv lawv tam sim ntawd.

Txhawm rau kom muaj kev ruaj ntseg hauv Elasticsearch nqis, koj yuav tsum tau ntxiv nws rau hauv cov ntaub ntawv teeb tsa (los ntawm lub neej ntawd qhov no yog elasticsearch/config/elasticsearch.yml) new kab:

xpack.security.enabled: true

Tom qab hloov cov ntaub ntawv teeb tsa, tso tawm lossis rov pib Elasticsearch rau cov kev hloov pauv kom siv tau. Cov kauj ruam tom ntej yog muab tus password rau cov neeg siv lub thawv. Cia peb ua qhov no sib tham sib siv cov lus txib hauv qab no:

[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y


Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]

Peb tshawb xyuas:

[elastic@node1 ~]$ curl -u elastic 'node1:9200/_cat/nodes?pretty'
Enter host password for user 'elastic':
192.168.0.2 23 46 14 0.28 0.32 0.18 dim * node1

Koj tuaj yeem pat koj tus kheej rau sab nraub qaum - qhov chaw ntawm Elasticsearch sab ua tiav. Tam sim no nws yog lub sijhawm los teeb tsa Kibana. Yog tias koj khiav nws tam sim no, qhov yuam kev yuav tshwm sim, yog li nws yog ib qho tseem ceeb los tsim lub khw tseem ceeb. Qhov no yog ua nyob rau hauv ob commands (neeg siv kibana thiab tus password nkag rau ntawm tus password tsim cov kauj ruam hauv Elasticsearch):

[elastic@node1 ~]$ ./kibana/bin/kibana-keystore add elasticsearch.username
[elastic@node1 ~]$ ./kibana/bin/kibana-keystore add elasticsearch.password

Yog tias txhua yam yog lawm, Kibana yuav pib nug tus ID nkag mus thiab lo lus zais. Basic subscription muaj xws li ib tug qauv raws li nyob rau hauv cov neeg siv. Pib nrog kub, koj tuaj yeem txuas cov txheej txheem kev lees paub rau sab nraud - LDAP, PKI, Active Directory thiab ib qho kev kos npe rau ib leeg.

Elastic hauv qab xauv thiab qhov tseem ceeb: ua kom Elasticsearch pawg kev ruaj ntseg xaiv rau kev nkag los ntawm sab hauv thiab sab nraud

Cov cai nkag mus rau cov khoom hauv Elasticsearch kuj tuaj yeem txwv. Txawm li cas los xij, ua tib yam rau cov ntaub ntawv lossis daim teb, koj yuav tsum tau them nyiaj rau kev tso npe (qhov khoom kim heev no pib nrog qib Platinum). Cov chaw no muaj nyob rau hauv Kibana interface lossis ntawm Kev ruaj ntseg API. Koj tuaj yeem tshawb xyuas los ntawm Dev Tools uas twb paub lawm:

Tsim lub luag haujlwm

PUT /_security/role/ruslan_i_ludmila_role
{
  "cluster": [],
  "indices": [
    {
      "names": [ "ruslan_i_ludmila" ],
      "privileges": ["read", "view_index_metadata"]
    }
  ]
}

Tsim tus neeg siv

POST /_security/user/pushkin
{
  "password" : "nataliaonelove",
  "roles" : [ "ruslan_i_ludmila_role", "kibana_user" ],
  "full_name" : "Alexander Pushkin",
  "email" : "[email protected]",
  "metadata" : {
    "hometown" : "Saint-Petersburg"
  }
}

Cov ntaub ntawv kev ruaj ntseg hauv ib pawg Elasticsearch

Thaum Elasticsearch khiav hauv pawg (uas yog ib qho), kev ruaj ntseg teeb tsa hauv pawg ua qhov tseem ceeb. Rau kev sib txuas lus ruaj ntseg ntawm cov nodes, Elasticsearch siv TLS raws tu qauv. Txhawm rau teeb tsa kev sib raug zoo ntawm lawv, koj xav tau daim ntawv pov thawj. Peb tsim daim ntawv pov thawj thiab tus yuam sij ntiag tug hauv PEM hom:

[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-certutil ca --pem

Tom qab ua tiav cov lus txib saum toj no, hauv phau ntawv qhia /../elasticsearch archive yuav tshwm elastic-pawg-ca.zip. Hauv nws koj yuav pom daim ntawv pov thawj thiab tus yuam sij ntiag tug nrog txuas ntxiv ua crt ΠΈ tseem ceeb raws. Nws raug nquahu kom muab lawv tso rau hauv cov peev txheej sib koom, uas yuav tsum nkag mus tau los ntawm tag nrho cov nodes hauv pawg.

Txhua lub node tam sim no xav tau nws daim ntawv pov thawj thiab cov yuam sij ntiag tug raws li cov hauv phau ntawv qhia. Thaum ua tiav cov lus txib, koj yuav raug nug kom teeb tus password. Koj tuaj yeem ntxiv cov kev xaiv ntxiv -ip thiab -dns rau kev ua tiav ntawm kev sib tham ntawm cov nodes.

[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-certutil cert --ca-cert /shared_folder/ca/ca.crt --ca-key /shared_folder/ca/ca.key

Raws li kev ua tiav cov lus txib, peb yuav tau txais daim ntawv pov thawj thiab tus yuam sij ntiag tug hauv PKCS # 12 hom, tiv thaiv los ntawm tus password. Txhua yam uas tseem tshuav yog txav cov ntaub ntawv generated p12 mus rau configuration directory:

[elastic@node1 ~]$ mv elasticsearch/elastic-certificates.p12 elasticsearch/config

Ntxiv ib lo lus zais rau daim ntawv pov thawj hauv hom ntawv p12 hauv keystore thiab truststore ntawm txhua qhov node:

[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

Twb paub lawm elasticsearch.yml Txhua yam uas tseem tshuav yog ntxiv cov kab nrog cov ntaub ntawv pov thawj:

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

Peb tso tag nrho Elasticsearch nodes thiab ua tiav curl. Yog tias txhua yam tau ua tiav lawm, cov lus teb nrog ntau lub nodes yuav raug xa rov qab:

[elastic@node1 ~]$ curl node1:9200/_cat/nodes -u elastic:password                                                                                    
172.18.0.3 43 75 4 0.00 0.05 0.05 dim * node2                                                                                                                     
172.18.0.4 21 75 3 0.00 0.05 0.05 dim - node3                                                                                                                     
172.18.0.2 39 75 4 0.00 0.05 0.05 dim - node1

Muaj lwm txoj kev ruaj ntseg - IP chaw lim dej (muaj nyob rau hauv cov npe los ntawm qib kub). Tso cai rau koj los tsim cov npe dawb ntawm IP chaw nyob uas koj tau tso cai nkag mus rau cov nodes.

Kev ruaj ntseg cov ntaub ntawv sab nraud ntawm Elasticsearch pawg

Sab nraum pawg txhais tau tias txuas cov cuab yeej sab nraud: Kibana, Logstash, Beats lossis lwm tus neeg siv khoom sab nraud.

Elastic hauv qab xauv thiab qhov tseem ceeb: ua kom Elasticsearch pawg kev ruaj ntseg xaiv rau kev nkag los ntawm sab hauv thiab sab nraud

Txhawm rau teeb tsa kev txhawb nqa rau https (tsis yog http), ntxiv cov kab tshiab rau elasticsearch.yml:

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.truststore.path: elastic-certificates.p12

Vim Daim ntawv pov thawj yog tus password tiv thaiv, ntxiv rau hauv keystore thiab truststore ntawm txhua qhov:

[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_password

Tom qab ntxiv cov yuam sij, Elasticsearch nodes tau npaj los txuas ntawm https. Tam sim no lawv tuaj yeem tso tawm.

Cov kauj ruam tom ntej yog los tsim tus yuam sij los txuas Kibana thiab ntxiv rau qhov kev teeb tsa. Raws li daim ntawv pov thawj uas twb muaj nyob rau hauv phau ntawv qhia, peb yuav tsim daim ntawv pov thawj hauv PEM hom (PKCS # 12 Kibana, Logstash thiab Beats tseem tsis tau txhawb nqa):

[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-certutil cert --ca-cert /shared_folder/ca/ca.crt --ca-key /shared_folder/ca/ca.key --pem

Txhua yam uas tseem tshuav yog txhawm rau qhib cov yuam sij tsim rau hauv daim nplaub tshev nrog Kibana teeb tsa:

[elastic@node1 ~]$ unzip elasticsearch/certificate-bundle.zip -d kibana/config

Cov yuam sij nyob ntawd, yog li txhua yam uas tseem tshuav yog hloov Kibana teeb tsa kom nws pib siv lawv. Nyob rau hauv kibana.yml configuration file, hloov http rau https thiab ntxiv kab nrog SSL kev twb kev txuas teeb tsa. Peb kab kawg teeb tsa kev sib txuas lus ruaj ntseg ntawm tus neeg siv tus browser thiab Kibana.

elasticsearch.hosts: ["https://${HOSTNAME}:9200"]
elasticsearch.ssl.certificateAuthorities: /shared_folder/ca/ca.crt
elasticsearch.ssl.verificationMode: certificate
server.ssl.enabled: true
server.ssl.key: /../kibana/config/instance/instance.key
server.ssl.certificate: /../kibana/config/instance/instance.crt

Yog li, cov chaw tau ua tiav thiab nkag mus rau cov ntaub ntawv hauv Elasticsearch pawg yog encrypted.

Yog tias koj muaj lus nug txog lub peev xwm ntawm Elastic Stack ntawm kev tso npe pub dawb lossis them nyiaj, saib xyuas cov haujlwm lossis tsim SIEM system, tawm hauv kev thov mus rau daim ntawv tawm tswv yim nyob rau peb lub vev xaib.

Ntau ntawm peb cov ntawv hais txog Elastic Stack ntawm Habre:

Nkag siab txog Tshuab Kev Kawm hauv Elastic Stack (aka Elasticsearch, aka ELK)

Elasticsearch qhov loj me

Tau qhov twg los: www.hab.com

Ntxiv ib saib