ProHoster > Π‘Π»ΠΎΠ³ > Administrasi > Cara ngatur Elasticsearch supaya ora bocor

Cara ngatur Elasticsearch supaya ora bocor

Ing taun kepungkur, ana akeh bocor saka database Elasticsearch (lah, lah ΠΈ lah). Ing sawetara kasus, data pribadhi disimpen ing basis data. Bocor iki bisa dihindari yen, sawise masang basis data, para pangurus keganggu mriksa sawetara setelan sing prasaja. Dina iki kita bakal ngomong babagan dheweke.

Ayo langsung nggawe reservasi yen ing praktik kita nggunakake Elasticsearch kanggo nyimpen log lan nganalisa log piranti keamanan informasi, OS lan piranti lunak ing platform IaaS kita, sing tundhuk karo syarat 152-FZ, Cloud-152. 

Cara ngatur Elasticsearch supaya ora bocor

Kita mriksa apa database "kelet" menyang Internet

Ing kasus bocor sing paling umum (lah, lah) panyerang entuk akses menyang data kanthi gampang lan ora sopan: database kasebut diterbitake ing Internet, lan bisa disambungake tanpa otentikasi.  

Pisanan, ayo padha ngurusi penerbitan ing Internet. Yagene iki kedadeyan? Kasunyatane yaiku kanggo operasi Elasticsearch sing luwih fleksibel disaranake nggawe klompok telung server. Supaya database bisa komunikasi karo saben liyane, sampeyan kudu mbukak port. Akibaté, administrator ora matesi akses menyang database ing sembarang cara, lan sampeyan bisa nyambung menyang database saka ngendi wae. Gampang kanggo mriksa manawa database bisa diakses saka njaba. Cukup ketik ing browser http://[IP/Имя Elasticsearch]:9200/_cat/nodes?v

Yen sampeyan bisa mlebu, banjur mbukak kanggo nutup.

Nglindhungi sambungan menyang database

Saiki kita bakal nggawe supaya ora bisa nyambung menyang database tanpa otentikasi.

Elasticsearch duwe modul otentikasi sing mbatesi akses menyang database, nanging mung kasedhiya ing set plugin X-Pack sing dibayar (panggunaan gratis 1 wulan).

Kabar apik yaiku ing musim gugur 2019, Amazon mbukak pangembangane, sing tumpang tindih karo X-Pack. Fungsi otentikasi nalika nyambungake menyang database wis kasedhiya ing lisensi gratis kanggo versi Elasticsearch 7.3.2, lan release anyar kanggo Elasticsearch 7.4.0 wis ana ing karya.

Plugin iki gampang diinstal. Pindhah menyang konsol server lan sambungake repositori:

RPM adhedhasar:

curl https://d3g5vo6xdbdb9a.cloudfront.net/yum/opendistroforelasticsearch-artifacts.repo -o /etc/yum.repos.d/opendistroforelasticsearch-artifacts.repo

yum update

yum install opendistro-security


DEB adhedhasar:

wget -qO ‐ https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch | sudo apt-key add -

Nggawe interaksi antarane server liwat SSL

Nalika nginstal plugin, konfigurasi port nyambungake menyang database diganti. Iku mbisakake enkripsi SSL. Supaya server kluster bisa terus kerja bareng, sampeyan kudu ngatur interaksi ing antarane nggunakake SSL.

Kapercayan ing antarane host bisa ditetepake kanthi utawa tanpa wewenang sertifikat dhewe. Kanthi cara pisanan, kabeh wis jelas: sampeyan mung kudu ngubungi spesialis CA. Ayo langsung pindhah menyang sing kapindho.

  1. Nggawe variabel kanthi jeneng domain lengkap: 

    export DOMAIN_CN="example.com"

  2. Nggawe kunci pribadi: 

    openssl genrsa -out root-ca-key.pem 4096

  3. Teken sertifikat ROOT. Tansah aman: yen ilang utawa kompromi, kapercayan antarane kabeh host kudu dikonfigurasi maneh. 

    openssl req -new -x509 -sha256 -subj "/C=RU/ST=Moscow/O=Moscow, Inc./CN=${DOMAIN_CN}" 
-key root-ca-key.pem -out root-ca.pem

  4. Gawe kunci administrator: 

    openssl genrsa -out admin-key-temp.pem 4096
openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt 
-v1 PBE-SHA1-3DES -out admin-key.pem

  5. Nggawe panjalukan kanggo mlebu sertifikat: 

    openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${DOMAIN_CN}/CN=admin " 
-key admin-key.pem -out admin.csr

  6. Nggawe sertifikat administrator: 

    openssl x509 -req -extensions usr_cert -in admin.csr -CA root-ca.pem 
-CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem

  7. Gawe sertifikat kanggo simpul Elasticsearch: 

    export NODENAME="node-01"
openssl genrsa -out ${NODENAME}-key-temp.pem 4096
openssl pkcs8 -inform PEM -outform PEM -in ${NODENAME}-key-temp.pem -topk8 -nocrypt 
-v1 PBE-SHA1-3DES -out ${NODENAME}-key.pem

  8. Nggawe panjalukan teken: 

    openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${NODENAME}.${DOMAIN_CN}"  
-addext"subjectAltName=DNS:${NODENAME}.${DOMAIN_CN},DNS:www.${NODENAME}.${DOMAIN_CN}" 
-key ${NODENAME}-key.pem -out ${NODENAME}.csr

  9. Penandatanganan sertifikat: 

    openssl x509 -req -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial 
-sha256 -out node.pem

  10. Selehake sertifikat ing antarane simpul Elasticsearch ing folder ing ngisor iki: 

    /etc/elasticsearch/


    kita butuh file:

            node-01-key.pem
	node-01.pem
	admin-key.pem
	admin.pem
	root-ca.pem

  11. Ngatur /etc/elasticsearch/elasticsearch.yml – ngganti jeneng file karo sertifikat kanggo sing digawe dening kita: 

    opendistro_security.ssl.transport.pemcert_filepath: node-01.pem                                                                                                                                                                                    
	opendistro_security.ssl.transport.pemkey_filepath: node-01-key.pem                                                                                                                                                                                 
	opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem                                                                                                                                                                              
	opendistro_security.ssl.transport.enforce_hostname_verification: false                                                                                                                                                                             
	opendistro_security.ssl.http.enabled: true                                                                                                                                                                                                         
	opendistro_security.ssl.http.pemcert_filepath: node-01.pem                                                                                                                                                                                         
	opendistro_security.ssl.http.pemkey_filepath: node-01-key.pem                                                                                                                                                                                      
	opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem                                                                                                                                                                                   
	opendistro_security.allow_unsafe_democertificates: false                                                                                                                                                                                           
	opendistro_security.allow_default_init_securityindex: true                                                                                                                                                                                         
	opendistro_security.authcz.admin_dn:                                                                                                                                                                                                               
	  βˆ’ CN=admin,CN=example.com,O=Moscow Inc.,ST=Moscow,C=RU                                                                                                                                                                                                  
	opendistro_security.nodes_dn:                                                                                                                                                                                                                      
	  βˆ’ CN=node-01.example.com,O=Moscow Inc.,ST=Moscow,C=RU

Ngganti sandhi kanggo pangguna internal

  1. Nggunakake printah ing ngisor iki, kita output hash sandi menyang console: 

    sh ${OD_SEC}/tools/hash.sh -p [ΠΏΠ°Ρ€ΠΎΠ»ΡŒ]

  2. Ngganti hash ing file menyang sing ditampa: 

    /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml

Nyetel firewall ing OS

  1. Ngidini firewall diwiwiti: 

    systemctl enable firewalld

  2. Ayo diluncurake: 

    systemctl start firewalld

  3. Ngidini sambungan menyang Elasticsearch: 

    firewall-cmd --set-default-zone work
firewall-cmd --zone=work --add-port=9200/TCP --permanent

  4. Muat ulang aturan firewall: 

    firewall-cmd --reload

  5. Ing ngisor iki aturan kerja: 

    firewall-cmd --list-all

Nglamar kabeh owah-owahan menyang Elasticsearch

  1. Nggawe variabel kanthi path lengkap menyang folder kanthi plugin: 

    export  OD_SEC="/usr/share/elasticsearch/plugins/opendistro_security/"

  2. Ayo mbukak skrip sing bakal nganyari sandhi lan mriksa setelan: 

    ${OD_SEC}/tools/securityadmin.sh -cd ${OD_SEC}/securityconfig/ 
-icl -nhnv -cacert /etc/elasticsearch/root-ca.pem 
-cert /etc/elasticsearch/admin.pem  
-key /etc/elasticsearch/admin-key.pem

  3. Priksa manawa owah-owahan wis ditrapake: 

    curl -XGET https://[IP/Имя Elasticsearch]:9200/_cat/nodes?v -u admin:[ΠΏΠ°Ρ€ΠΎΠ»ΡŒ] --insecure

Iku kabeh, iki minangka setelan minimal sing nglindhungi Elasticsearch saka sambungan sing ora sah.

Source: www.habr.com

Add a comment