🥇 Quomodo configurare Elasticsearch ad vitandum pinum

Praeterito anno multae pinum ex databases factae sunt Elasticsearch (hic, hic и hic). In multis casibus, personalis notitia in datorum reposita est. Hae liberorum vitari poterant si, explicatis datorum instrumentis, administratores paucas unctiones simplices compescere vexaverant. Hodie de illis loquemur.

Reservationem statim faciamus quod in usu nostro utimur Elastica investigatione ad condenda ligna et analyses tigna instrumentorum securitatis informationis, OS et programmata in suggestu nostro IaaS, quae requisitis 152-FZ, Cloud-152.

Reprehendimus num database "extentat" in Penitus

In notissimis casibus de libero (hic, hic) aggrediens accessum ad notitias simpliciter et imprudens: datorum in Interreti divulgatum est et cum eo coniungere sine authenticitate fieri potuit.

Primum, cum libellorum in Interreti agamus. Quid hoc fit? Ita est quod ad magis flexibilem operationem elasticarum investigationis commendatae Botrus tres servers creare. Ut databases inter se communicent, debes portus aperire. Quam ob rem administratores aditum datorum quoquo modo non coarctant, et alicunde cum datorum coniungere potes. Utrum in promptu sit datorum extraneo facile inspicias. Modo intra in pasco http://[IP/Имя Elasticsearch]:9200/_cat/nodes?v

Si ingredi potes, occludere curre.

Connexionem ad protegens database

Nunc eam dabimus ut sine authenticitate database coniungere non possit.

Elastica inquisitione authenticas moduli habet qui aditum datorum limitat, sed solum praesto est in solutione X-Pack plugin positae (1 mensis liberi usus).

Bonus nuntius est in casu 2019, Amazon suas explicationes aperuit, quae cum X-Pack inducunt. Munus authenticas cum connectens cum database praesto facta est sub libera licentia pro versione Elasticsearch 7.3.2, et nova emissio pro Elasticsearch 7.4.0 iam in operibus est.

Hoc plugin facile est ad institutionem. Vade ad ministratorem consolatorium et repositio coniunge:

RPM Fundatur:

curl https://d3g5vo6xdbdb9a.cloudfront.net/yum/opendistroforelasticsearch-artifacts.repo -o /etc/yum.repos.d/opendistroforelasticsearch-artifacts.repo yum update yum install opendistro-security

DEB Fundatur:

wget -qO ‐ https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch | sudo apt-key add -

Profecta est commercium servers per SSL

Cum plugin installing, conformatio portus cum mutationibus datorum connectens. Encryption SSL dat. Ut servientibus botri inter se operari pergant, necesse est SSL configurare commercium inter eos utentes.

Fiducia inter exercituum stabiliri potest cum propria aut sine certificatorio auctoritate. Prima methodo omnia plana sunt: vos iustus postulo ut contactus CA elit. Ad secundum recta transeamus.

Creare variabilis cum pleno domain nomen:

export DOMAIN_CN="example.com"

Clavem privatam creare:

openssl genrsa -out root-ca-key.pem 4096

Signum radicis certificatorium. Serva eam incolumem: si amittitur vel aedilis, inter omnes exercitus fiducia configurari debebit.

openssl req -new -x509 -sha256 -subj "/C=RU/ST=Moscow/O=Moscow, Inc./CN=${DOMAIN_CN}" -key root-ca-key.pem -out root-ca.pem

Create an administrator key:

openssl genrsa -out admin-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem

Facere petitionem testimonium subscribere:

openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${DOMAIN_CN}/CN=admin " -key admin-key.pem -out admin.csr

Create an administrator libellum:

openssl x509 -req -extensions usr_cert -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem

Testimonium crea pro nodi Elasticsearch:

export NODENAME="node-01" openssl genrsa -out ${NODENAME}-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in ${NODENAME}-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out ${NODENAME}-key.pem

Subscriptio creare petitionem:

openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${NODENAME}.${DOMAIN_CN}" -addext"subjectAltName=DNS:${NODENAME}.${DOMAIN_CN},DNS:www.${NODENAME}.${DOMAIN_CN}" -key ${NODENAME}-key.pem -out ${NODENAME}.csr

Testimonium subscribens:

openssl x509 -req -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem

Pone libellum inter nodos Elasticsearch in sequenti folder:

/etc/elasticsearch/

files opus est:

node-01-key.pem node-01.pem admin-key.pem admin.pem root-ca.pem

Vestibulum /etc/elasticsearch/elasticsearch.yml - Muta nomen antis cum testimonialibus illis a nobis generatis;

opendistro_security.ssl.transport.pemcert_filepath: node-01.pem opendistro_security.ssl.transport.pemkey_filepath: node-01-key.pem opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem opendistro_security.ssl.transport.enforce_hostname_verification: false opendistro_security.ssl.http.enabled: true opendistro_security.ssl.http.pemcert_filepath: node-01.pem opendistro_security.ssl.http.pemkey_filepath: node-01-key.pem opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem opendistro_security.allow_unsafe_democertificates: false opendistro_security.allow_default_init_securityindex: true opendistro_security.authcz.admin_dn: − CN=admin,CN=example.com,O=Moscow Inc.,ST=Moscow,C=RU opendistro_security.nodes_dn: − CN=node-01.example.com,O=Moscow Inc.,ST=Moscow,C=RU

Mutantur passwords pro internus users

Infra mandatum utentes, tesseram Nullam ad consolatorium outputamus:

sh ${OD_SEC}/tools/hash.sh -p [пароль]

Nullam in tabella mutata in receptum est:

/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml

Erexerit a firewall in OS

Firewall liceat incipere:

systemctl enable firewalld
Imprimamus eam:

systemctl start firewalld

Patitur nexum ad Elasticsearch:

firewall-cmd --set-default-zone work firewall-cmd --zone=work --add-port=9200/TCP --permanent

Firewall reload praecepta:

firewall-cmd --reload
Hic sunt regulae operationis;

firewall-cmd --list-all

Applicando omnes mutationes nostras ad Elasticsearch

Creare variabilis cum plena via ad folder per plugin:

export OD_SEC="/usr/share/elasticsearch/plugins/opendistro_security/"

Curramus scriptum quod update passwords et occasus reprehendo:

${OD_SEC}/tools/securityadmin.sh -cd ${OD_SEC}/securityconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/admin.pem -key /etc/elasticsearch/admin-key.pem

Reprehendo si mutationes applicatae sunt:

curl -XGET https://[IP/Имя Elasticsearch]:9200/_cat/nodes?v -u admin:[пароль] --insecure

Haec omnia sunt minimae unctiones quae Elasticsearch ab non legitimis iunctis defendunt.

Source: www.habr.com

Quomodo configurare Elastica investigationis ad vitandum pinum