Ing taun kepungkur, ana akeh bocor saka database
Ayo langsung nggawe reservasi yen ing praktik kita nggunakake Elasticsearch kanggo nyimpen log lan nganalisa log piranti keamanan informasi, OS lan piranti lunak ing platform IaaS kita, sing tundhuk karo syarat 152-FZ, Cloud-152.
Kita mriksa apa database "kelet" menyang Internet
Ing kasus bocor sing paling umum (
Pisanan, ayo padha ngurusi penerbitan ing Internet. Yagene iki kedadeyan? Kasunyatane yaiku kanggo operasi Elasticsearch sing luwih fleksibel
Yen sampeyan bisa mlebu, banjur mbukak kanggo nutup.
Nglindhungi sambungan menyang database
Saiki kita bakal nggawe supaya ora bisa nyambung menyang database tanpa otentikasi.
Elasticsearch duwe modul otentikasi sing mbatesi akses menyang database, nanging mung kasedhiya ing set plugin X-Pack sing dibayar (panggunaan gratis 1 wulan).
Kabar apik yaiku ing musim gugur 2019, Amazon mbukak pangembangane, sing tumpang tindih karo X-Pack. Fungsi otentikasi nalika nyambungake menyang database wis kasedhiya ing lisensi gratis kanggo versi Elasticsearch 7.3.2, lan release anyar kanggo Elasticsearch 7.4.0 wis ana ing karya.
Plugin iki gampang diinstal. Pindhah menyang konsol server lan sambungake repositori:
RPM adhedhasar:
curl https://d3g5vo6xdbdb9a.cloudfront.net/yum/opendistroforelasticsearch-artifacts.repo -o /etc/yum.repos.d/opendistroforelasticsearch-artifacts.repo
yum update
yum install opendistro-security
DEB adhedhasar:
wget -qO β https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch | sudo apt-key add -
Nggawe interaksi antarane server liwat SSL
Nalika nginstal plugin, konfigurasi port nyambungake menyang database diganti. Iku mbisakake enkripsi SSL. Supaya server kluster bisa terus kerja bareng, sampeyan kudu ngatur interaksi ing antarane nggunakake SSL.
Kapercayan ing antarane host bisa ditetepake kanthi utawa tanpa wewenang sertifikat dhewe. Kanthi cara pisanan, kabeh wis jelas: sampeyan mung kudu ngubungi spesialis CA. Ayo langsung pindhah menyang sing kapindho.
- Nggawe variabel kanthi jeneng domain lengkap:
export DOMAIN_CN="example.com"
- Nggawe kunci pribadi:
openssl genrsa -out root-ca-key.pem 4096
- Teken sertifikat ROOT. Tansah aman: yen ilang utawa kompromi, kapercayan antarane kabeh host kudu dikonfigurasi maneh.
openssl req -new -x509 -sha256 -subj "/C=RU/ST=Moscow/O=Moscow, Inc./CN=${DOMAIN_CN}" -key root-ca-key.pem -out root-ca.pem
- Gawe kunci administrator:
openssl genrsa -out admin-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
- Nggawe panjalukan kanggo mlebu sertifikat:
openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${DOMAIN_CN}/CN=admin " -key admin-key.pem -out admin.csr
- Nggawe sertifikat administrator:
openssl x509 -req -extensions usr_cert -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem
- Gawe sertifikat kanggo simpul Elasticsearch:
export NODENAME="node-01" openssl genrsa -out ${NODENAME}-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in ${NODENAME}-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out ${NODENAME}-key.pem
- Nggawe panjalukan teken:
openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${NODENAME}.${DOMAIN_CN}" -addext"subjectAltName=DNS:${NODENAME}.${DOMAIN_CN},DNS:www.${NODENAME}.${DOMAIN_CN}" -key ${NODENAME}-key.pem -out ${NODENAME}.csr
- Penandatanganan sertifikat:
openssl x509 -req -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem
- Selehake sertifikat ing antarane simpul Elasticsearch ing folder ing ngisor iki:
/etc/elasticsearch/
kita butuh file:node-01-key.pem node-01.pem admin-key.pem admin.pem root-ca.pem
- Ngatur /etc/elasticsearch/elasticsearch.yml β ngganti jeneng file karo sertifikat kanggo sing digawe dening kita:
opendistro_security.ssl.transport.pemcert_filepath: node-01.pem opendistro_security.ssl.transport.pemkey_filepath: node-01-key.pem opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem opendistro_security.ssl.transport.enforce_hostname_verification: false opendistro_security.ssl.http.enabled: true opendistro_security.ssl.http.pemcert_filepath: node-01.pem opendistro_security.ssl.http.pemkey_filepath: node-01-key.pem opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem opendistro_security.allow_unsafe_democertificates: false opendistro_security.allow_default_init_securityindex: true opendistro_security.authcz.admin_dn: β CN=admin,CN=example.com,O=Moscow Inc.,ST=Moscow,C=RU opendistro_security.nodes_dn: β CN=node-01.example.com,O=Moscow Inc.,ST=Moscow,C=RU
Ngganti sandhi kanggo pangguna internal
- Nggunakake printah ing ngisor iki, kita output hash sandi menyang console:
sh ${OD_SEC}/tools/hash.sh -p [ΠΏΠ°ΡΠΎΠ»Ρ]
- Ngganti hash ing file menyang sing ditampa:
/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
Nyetel firewall ing OS
- Ngidini firewall diwiwiti:
systemctl enable firewalld
- Ayo diluncurake:
systemctl start firewalld
- Ngidini sambungan menyang Elasticsearch:
firewall-cmd --set-default-zone work firewall-cmd --zone=work --add-port=9200/TCP --permanent
- Muat ulang aturan firewall:
firewall-cmd --reload
- Ing ngisor iki aturan kerja:
firewall-cmd --list-all
Nglamar kabeh owah-owahan menyang Elasticsearch
- Nggawe variabel kanthi path lengkap menyang folder kanthi plugin:
export OD_SEC="/usr/share/elasticsearch/plugins/opendistro_security/"
- Ayo mbukak skrip sing bakal nganyari sandhi lan mriksa setelan:
${OD_SEC}/tools/securityadmin.sh -cd ${OD_SEC}/securityconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/admin.pem -key /etc/elasticsearch/admin-key.pem
- Priksa manawa owah-owahan wis ditrapake:
curl -XGET https://[IP/ΠΠΌΡ Elasticsearch]:9200/_cat/nodes?v -u admin:[ΠΏΠ°ΡΠΎΠ»Ρ] --insecure
Iku kabeh, iki minangka setelan minimal sing nglindhungi Elasticsearch saka sambungan sing ora sah.
Source: www.habr.com