Praeterito anno multae pinum ex databases factae sunt
Reservationem statim faciamus quod in usu nostro utimur Elastica investigatione ad condenda ligna et analyses tigna instrumentorum securitatis informationis, OS et programmata in suggestu nostro IaaS, quae requisitis 152-FZ, Cloud-152.
Reprehendimus num database "extentat" in Penitus
In notissimis casibus de libero (
Primum, cum libellorum in Interreti agamus. Quid hoc fit? Ita est quod ad magis flexibilem operationem elasticarum investigationis
Si ingredi potes, occludere curre.
Connexionem ad protegens database
Nunc eam dabimus ut sine authenticitate database coniungere non possit.
Elastica inquisitione authenticas moduli habet qui aditum datorum limitat, sed solum praesto est in solutione X-Pack plugin positae (1 mensis liberi usus).
Bonus nuntius est in casu 2019, Amazon suas explicationes aperuit, quae cum X-Pack inducunt. Munus authenticas cum connectens cum database praesto facta est sub libera licentia pro versione Elasticsearch 7.3.2, et nova emissio pro Elasticsearch 7.4.0 iam in operibus est.
Hoc plugin facile est ad institutionem. Vade ad ministratorem consolatorium et repositio coniunge:
RPM Fundatur:
curl https://d3g5vo6xdbdb9a.cloudfront.net/yum/opendistroforelasticsearch-artifacts.repo -o /etc/yum.repos.d/opendistroforelasticsearch-artifacts.repo
yum update
yum install opendistro-security
DEB Fundatur:
wget -qO β https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch | sudo apt-key add -
Profecta est commercium servers per SSL
Cum plugin installing, conformatio portus cum mutationibus datorum connectens. Encryption SSL dat. Ut servientibus botri inter se operari pergant, necesse est SSL configurare commercium inter eos utentes.
Fiducia inter exercituum stabiliri potest cum propria aut sine certificatorio auctoritate. Prima methodo omnia plana sunt: ββvos iustus postulo ut contactus CA elit. Ad secundum recta transeamus.
- Creare variabilis cum pleno domain nomen:
export DOMAIN_CN="example.com"
- Clavem privatam creare:
openssl genrsa -out root-ca-key.pem 4096
- Signum radicis certificatorium. Serva eam incolumem: si amittitur vel aedilis, inter omnes exercitus fiducia configurari debebit.
openssl req -new -x509 -sha256 -subj "/C=RU/ST=Moscow/O=Moscow, Inc./CN=${DOMAIN_CN}" -key root-ca-key.pem -out root-ca.pem
- Create an administrator key:
openssl genrsa -out admin-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
- Facere petitionem testimonium subscribere:
openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${DOMAIN_CN}/CN=admin " -key admin-key.pem -out admin.csr
- Create an administrator libellum:
openssl x509 -req -extensions usr_cert -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem
- Testimonium crea pro nodi Elasticsearch:
export NODENAME="node-01" openssl genrsa -out ${NODENAME}-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in ${NODENAME}-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out ${NODENAME}-key.pem
- Subscriptio creare petitionem:
openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${NODENAME}.${DOMAIN_CN}" -addext"subjectAltName=DNS:${NODENAME}.${DOMAIN_CN},DNS:www.${NODENAME}.${DOMAIN_CN}" -key ${NODENAME}-key.pem -out ${NODENAME}.csr
- Testimonium subscribens:
openssl x509 -req -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem
- Pone libellum inter nodos Elasticsearch in sequenti folder:
/etc/elasticsearch/
files opus est:node-01-key.pem node-01.pem admin-key.pem admin.pem root-ca.pem
- Vestibulum /etc/elasticsearch/elasticsearch.yml - Muta nomen antis cum testimonialibus illis a nobis generatis;
opendistro_security.ssl.transport.pemcert_filepath: node-01.pem opendistro_security.ssl.transport.pemkey_filepath: node-01-key.pem opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem opendistro_security.ssl.transport.enforce_hostname_verification: false opendistro_security.ssl.http.enabled: true opendistro_security.ssl.http.pemcert_filepath: node-01.pem opendistro_security.ssl.http.pemkey_filepath: node-01-key.pem opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem opendistro_security.allow_unsafe_democertificates: false opendistro_security.allow_default_init_securityindex: true opendistro_security.authcz.admin_dn: β CN=admin,CN=example.com,O=Moscow Inc.,ST=Moscow,C=RU opendistro_security.nodes_dn: β CN=node-01.example.com,O=Moscow Inc.,ST=Moscow,C=RU
Mutantur passwords pro internus users
- Infra mandatum utentes, tesseram Nullam ad consolatorium outputamus:
sh ${OD_SEC}/tools/hash.sh -p [ΠΏΠ°ΡΠΎΠ»Ρ]
- Nullam in tabella mutata in receptum est:
/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
Erexerit a firewall in OS
- Firewall liceat incipere:
systemctl enable firewalld
- Imprimamus eam:
systemctl start firewalld
- Patitur nexum ad Elasticsearch:
firewall-cmd --set-default-zone work firewall-cmd --zone=work --add-port=9200/TCP --permanent
- Firewall reload praecepta:
firewall-cmd --reload
- Hic sunt regulae operationis;
firewall-cmd --list-all
Applicando omnes mutationes nostras ad Elasticsearch
- Creare variabilis cum plena via ad folder per plugin:
export OD_SEC="/usr/share/elasticsearch/plugins/opendistro_security/"
- Curramus scriptum quod update passwords et occasus reprehendo:
${OD_SEC}/tools/securityadmin.sh -cd ${OD_SEC}/securityconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/admin.pem -key /etc/elasticsearch/admin-key.pem
- Reprehendo si mutationes applicatae sunt:
curl -XGET https://[IP/ΠΠΌΡ Elasticsearch]:9200/_cat/nodes?v -u admin:[ΠΏΠ°ΡΠΎΠ»Ρ] --insecure
Haec omnia sunt minimae unctiones quae Elasticsearch ab non legitimis iunctis defendunt.
Source: www.habr.com