Nyob rau hauv xyoo tas los no, muaj ntau qhov xau los ntawm cov ntaub ntawv (, ΠΈ ). Feem ntau, cov ntaub ntawv tus kheej tau muab khaws cia rau hauv cov ntaub ntawv. Cov kev xau no tuaj yeem zam tau yog tias, tom qab xa cov ntaub ntawv, cov thawj coj tau thab xyuas qee qhov chaw yooj yim. Niaj hnub no peb yuav tham txog lawv.
Cia peb tam sim ua qhov tshwj xeeb uas hauv peb qhov kev coj ua peb siv Elasticsearch khaws cov cav thiab txheeb xyuas cov ntaub ntawv kev ruaj ntseg cov cuab yeej, OS thiab software hauv peb lub platform IaaS, uas ua raws li cov cai ntawm 152-FZ, Cloud-152.
Peb xyuas seb lub database "sticks tawm" rau hauv Internet
Nyob rau hauv feem ntau paub txog ntawm leaks (, ) tus attacker tau nkag mus rau cov ntaub ntawv yooj yim thiab unpretentiously: lub database tau luam tawm nyob rau hauv Internet, thiab nws muaj peev xwm mus txuas rau nws yam tsis muaj authentication.
Ua ntej, cia peb tham txog kev tshaj tawm hauv Internet. Vim li cas qhov no tshwm sim? Qhov tseeb yog tias rau kev ua haujlwm yooj yim dua ntawm Elasticsearch tsim ib pawg ntawm peb servers. Txhawm rau kom cov databases sib txuas lus nrog ib leeg, koj yuav tsum qhib cov chaw nres nkoj. Raws li qhov tshwm sim, cov thawj coj tsis txwv kev nkag mus rau cov ntaub ntawv hauv txhua txoj kev, thiab koj tuaj yeem txuas mus rau cov ntaub ntawv los ntawm txhua qhov chaw. Nws yog ib qho yooj yim los xyuas seb lub database puas nkag tau los ntawm sab nraud. Cia li nkag mus rau hauv qhov browser http://[IP/ΠΠΌΡ Elasticsearch]:9200/_cat/nodes?v
Yog koj tuaj yeem nkag tau, ces khiav mus kaw.
Tiv thaiv kev sib txuas rau hauv cov ntaub ntawv
Tam sim no peb yuav ua kom nws tsis tuaj yeem txuas mus rau cov ntaub ntawv tsis muaj kev lees paub.
Elasticsearch muaj qhov kev lees paub tseeb uas txwv tsis pub nkag mus rau hauv cov ntaub ntawv, tab sis nws tsuas yog muaj nyob rau hauv X-Pack plugin them nyiaj (1 hli siv dawb).
Qhov xwm zoo yog tias lub caij nplooj zeeg xyoo 2019, Amazon tau qhib nws txoj kev txhim kho, uas sib tshooj nrog X-Pack. Kev lees paub muaj nuj nqi thaum txuas mus rau cov ntaub ntawv tau dhau los ua muaj nyob rau hauv daim ntawv tso cai pub dawb rau version Elasticsearch 7.3.2, thiab qhov kev tso tawm tshiab rau Elasticsearch 7.4.0 twb ua haujlwm lawm.
Cov plugin no yooj yim rau nruab. Mus rau lub server console thiab txuas lub chaw cia khoom:
RPM Raws li:
curl https://d3g5vo6xdbdb9a.cloudfront.net/yum/opendistroforelasticsearch-artifacts.repo -o /etc/yum.repos.d/opendistroforelasticsearch-artifacts.repo
yum update
yum install opendistro-security
DEB Based:
wget -qO β https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch | sudo apt-key add -
Teeb tsa kev sib cuam tshuam ntawm servers ntawm SSL
Thaum txhim kho lub plugin, kev teeb tsa ntawm qhov chaw nres nkoj txuas mus rau cov ntaub ntawv hloov pauv. Nws enables SSL encryption. Txhawm rau kom pawg servers txuas ntxiv ua haujlwm nrog ib leeg, koj yuav tsum teeb tsa kev sib cuam tshuam ntawm lawv siv SSL.
Kev ntseeg siab ntawm cov tswv tuaj yeem tsim nrog lossis tsis muaj nws tus kheej daim ntawv pov thawj txoj cai. Nrog thawj txoj kev, txhua yam yog qhov tseeb: koj tsuas yog xav tau hu rau CA cov kws tshaj lij. Cia peb txav mus rau qhov thib ob.
- Tsim qhov sib txawv nrog lub npe sau npe:
export DOMAIN_CN="example.com" - Tsim tus yuam sij ntiag tug:
openssl genrsa -out root-ca-key.pem 4096 - Kos npe rau daim ntawv pov thawj hauv paus. Khaws nws kom nyab xeeb: yog tias nws poob lossis cuam tshuam, kev ntseeg siab ntawm txhua tus tswv yuav tsum tau kho dua tshiab.
openssl req -new -x509 -sha256 -subj "/C=RU/ST=Moscow/O=Moscow, Inc./CN=${DOMAIN_CN}" -key root-ca-key.pem -out root-ca.pem - Tsim tus yuam sij admin:
openssl genrsa -out admin-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem - Tsim ib daim ntawv thov kos npe rau daim ntawv pov thawj:
openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${DOMAIN_CN}/CN=admin " -key admin-key.pem -out admin.csr - Tsim ib daim ntawv pov thawj tswj hwm:
openssl x509 -req -extensions usr_cert -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem - Tsim daim ntawv pov thawj rau Elasticsearch node:
export NODENAME="node-01" openssl genrsa -out ${NODENAME}-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in ${NODENAME}-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out ${NODENAME}-key.pem - Tsim ib daim ntawv thov kos npe:
openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${NODENAME}.${DOMAIN_CN}" -addext"subjectAltName=DNS:${NODENAME}.${DOMAIN_CN},DNS:www.${NODENAME}.${DOMAIN_CN}" -key ${NODENAME}-key.pem -out ${NODENAME}.csr - Kos npe rau daim ntawv pov thawj:
openssl x509 -req -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem - Muab daim ntawv pov thawj ntawm Elasticsearch nodes hauv daim nplaub tshev nram qab no:
/etc/elasticsearch/
peb xav tau cov ntaub ntawv:node-01-key.pem node-01.pem admin-key.pem admin.pem root-ca.pem - Kho /etc/elasticsearch/elasticsearch.yml - Hloov lub npe ntawm cov ntaub ntawv nrog daim ntawv pov thawj rau cov uas tsim los ntawm peb:
opendistro_security.ssl.transport.pemcert_filepath: node-01.pem opendistro_security.ssl.transport.pemkey_filepath: node-01-key.pem opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem opendistro_security.ssl.transport.enforce_hostname_verification: false opendistro_security.ssl.http.enabled: true opendistro_security.ssl.http.pemcert_filepath: node-01.pem opendistro_security.ssl.http.pemkey_filepath: node-01-key.pem opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem opendistro_security.allow_unsafe_democertificates: false opendistro_security.allow_default_init_securityindex: true opendistro_security.authcz.admin_dn: β CN=admin,CN=example.com,O=Moscow Inc.,ST=Moscow,C=RU opendistro_security.nodes_dn: β CN=node-01.example.com,O=Moscow Inc.,ST=Moscow,C=RU
Hloov cov passwords rau cov neeg siv sab hauv
- Siv cov lus txib hauv qab no, peb tso tus password hash rau lub console:
sh ${OD_SEC}/tools/hash.sh -p [ΠΏΠ°ΡΠΎΠ»Ρ] - Hloov cov hash hauv cov ntaub ntawv mus rau qhov tau txais:
/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
Teem lub firewall hauv OS
- Cia lub firewall pib:
systemctl enable firewalld - Cia peb pib nws:
systemctl start firewalld - Tso cai txuas rau Elasticsearch:
firewall-cmd --set-default-zone work firewall-cmd --zone=work --add-port=9200/TCP --permanent - Reload cov cai firewall:
firewall-cmd --reload - Nov yog cov cai ua haujlwm:
firewall-cmd --list-all
Siv tag nrho peb cov kev hloov pauv rau Elasticsearch
- Tsim ib qho kev sib txawv nrog txoj hauv kev mus rau lub nplaub tshev nrog lub plugin:
export OD_SEC="/usr/share/elasticsearch/plugins/opendistro_security/" - Cia peb khiav ib tsab ntawv uas yuav hloov tshiab passwords thiab xyuas cov chaw:
${OD_SEC}/tools/securityadmin.sh -cd ${OD_SEC}/securityconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/admin.pem -key /etc/elasticsearch/admin-key.pem - Xyuas seb cov kev hloov pauv tau siv li cas:
curl -XGET https://[IP/ΠΠΌΡ Elasticsearch]:9200/_cat/nodes?v -u admin:[ΠΏΠ°ΡΠΎΠ»Ρ] --insecure
Ntawd yog tag nrho, cov no yog qhov tsawg kawg qhov chaw uas tiv thaiv Elasticsearch los ntawm kev sib txuas tsis raug cai.
Tau qhov twg los: www.hab.com