Katika mwaka uliopita, kumekuwa na uvujaji mwingi kutoka kwa hifadhidata
Hebu tuweke nafasi mara moja kwamba katika mazoezi yetu tunatumia Elasticsearch kuhifadhi kumbukumbu na kuchanganua kumbukumbu za zana za usalama wa taarifa, Mfumo wa Uendeshaji na programu katika mfumo wetu wa IaaS, ambao unatii mahitaji ya 152-FZ, Cloud-152.
Tunaangalia ikiwa hifadhidata "inashikamana" na Mtandao
Katika hali nyingi zinazojulikana za uvujaji (
Kwanza, hebu tushughulike na uchapishaji kwenye mtandao. Kwa nini hili linatokea? Ukweli ni kwamba kwa uendeshaji rahisi zaidi wa Elasticsearch
Ikiwa unaweza kuingia, basi kukimbia ili kuifunga.
Kulinda muunganisho kwenye hifadhidata
Sasa tutaifanya hivyo kwamba haiwezekani kuunganisha kwenye database bila uthibitishaji.
Elasticsearch ina moduli ya uthibitishaji ambayo inazuia ufikiaji wa hifadhidata, lakini inapatikana tu katika seti ya programu-jalizi ya kulipia ya X-Pack (matumizi ya mwezi 1 bila malipo).
Habari njema ni kwamba katika msimu wa joto wa 2019, Amazon ilifungua maendeleo yake, ambayo yanaingiliana na X-Pack. Chaguo la kukokotoa la uthibitishaji wakati wa kuunganisha kwenye hifadhidata limepatikana chini ya leseni isiyolipishwa ya toleo la Elasticsearch 7.3.2, na toleo jipya la Elasticsearch 7.4.0 tayari liko kazini.
Programu-jalizi hii ni rahisi kusakinisha. Nenda kwenye koni ya seva na uunganishe hazina:
Kulingana na RPM:
curl https://d3g5vo6xdbdb9a.cloudfront.net/yum/opendistroforelasticsearch-artifacts.repo -o /etc/yum.repos.d/opendistroforelasticsearch-artifacts.repo
yum update
yum install opendistro-security
Kulingana na DEB:
wget -qO β https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch | sudo apt-key add -
Kuanzisha mwingiliano kati ya seva kupitia SSL
Wakati wa kusakinisha programu-jalizi, usanidi wa bandari inayounganisha kwenye hifadhidata hubadilika. Inawezesha usimbaji fiche wa SSL. Ili seva za nguzo ziendelee kufanya kazi na kila mmoja, unahitaji kusanidi mwingiliano kati yao kwa kutumia SSL.
Kuaminiana kati ya wapangishi kunaweza kuanzishwa na au bila mamlaka yake ya cheti. Kwa njia ya kwanza, kila kitu ni wazi: unahitaji tu kuwasiliana na wataalamu wa CA. Wacha tuende moja kwa moja hadi ya pili.
- Unda kibadilishaji na jina kamili la kikoa:
export DOMAIN_CN="example.com"
- Unda ufunguo wa kibinafsi:
openssl genrsa -out root-ca-key.pem 4096
- Saini cheti cha mizizi. Iweke salama: ikiwa itapotea au kuathiriwa, uaminifu kati ya wapangishaji wote utahitaji kusanidiwa upya.
openssl req -new -x509 -sha256 -subj "/C=RU/ST=Moscow/O=Moscow, Inc./CN=${DOMAIN_CN}" -key root-ca-key.pem -out root-ca.pem
- Unda ufunguo wa msimamizi:
openssl genrsa -out admin-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
- Unda ombi la kusaini cheti:
openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${DOMAIN_CN}/CN=admin " -key admin-key.pem -out admin.csr
- Unda cheti cha msimamizi:
openssl x509 -req -extensions usr_cert -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem
- Unda vyeti vya nodi ya Elasticsearch:
export NODENAME="node-01" openssl genrsa -out ${NODENAME}-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in ${NODENAME}-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out ${NODENAME}-key.pem
- Unda ombi la saini:
openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${NODENAME}.${DOMAIN_CN}" -addext"subjectAltName=DNS:${NODENAME}.${DOMAIN_CN},DNS:www.${NODENAME}.${DOMAIN_CN}" -key ${NODENAME}-key.pem -out ${NODENAME}.csr
- Kusaini cheti:
openssl x509 -req -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem
- Weka cheti kati ya nodi za Elasticsearch kwenye folda ifuatayo:
/etc/elasticsearch/
tunahitaji faili:node-01-key.pem node-01.pem admin-key.pem admin.pem root-ca.pem
- Badilisha /etc/elasticsearch/elasticsearch.yml - Badilisha jina la faili zilizo na cheti kwa zile zinazotolewa na sisi:
opendistro_security.ssl.transport.pemcert_filepath: node-01.pem opendistro_security.ssl.transport.pemkey_filepath: node-01-key.pem opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem opendistro_security.ssl.transport.enforce_hostname_verification: false opendistro_security.ssl.http.enabled: true opendistro_security.ssl.http.pemcert_filepath: node-01.pem opendistro_security.ssl.http.pemkey_filepath: node-01-key.pem opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem opendistro_security.allow_unsafe_democertificates: false opendistro_security.allow_default_init_securityindex: true opendistro_security.authcz.admin_dn: β CN=admin,CN=example.com,O=Moscow Inc.,ST=Moscow,C=RU opendistro_security.nodes_dn: β CN=node-01.example.com,O=Moscow Inc.,ST=Moscow,C=RU
Kubadilisha nywila kwa watumiaji wa ndani
- Kutumia amri hapa chini, tunatoa hashi ya nenosiri kwenye koni:
sh ${OD_SEC}/tools/hash.sh -p [ΠΏΠ°ΡΠΎΠ»Ρ]
- Badilisha heshi kwenye faili kuwa ile iliyopokelewa:
/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
Kuweka firewall katika OS
- Ruhusu firewall kuanza:
systemctl enable firewalld
- Hebu tuzindue:
systemctl start firewalld
- Ruhusu muunganisho kwa Elasticsearch:
firewall-cmd --set-default-zone work firewall-cmd --zone=work --add-port=9200/TCP --permanent
- Pakia upya sheria za firewall:
firewall-cmd --reload
- Hapa kuna sheria za kufanya kazi:
firewall-cmd --list-all
Kutumia mabadiliko yetu yote kwa Elasticsearch
- Unda kutofautisha na njia kamili ya folda na programu-jalizi:
export OD_SEC="/usr/share/elasticsearch/plugins/opendistro_security/"
- Wacha tuendeshe hati ambayo itasasisha manenosiri na angalia mipangilio:
${OD_SEC}/tools/securityadmin.sh -cd ${OD_SEC}/securityconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/admin.pem -key /etc/elasticsearch/admin-key.pem
- Angalia ikiwa mabadiliko yametekelezwa:
curl -XGET https://[IP/ΠΠΌΡ Elasticsearch]:9200/_cat/nodes?v -u admin:[ΠΏΠ°ΡΠΎΠ»Ρ] --insecure
Ni hayo tu, hii ndiyo mipangilio ya chini kabisa inayolinda Elasticsearch kutokana na miunganisho isiyoidhinishwa.
Chanzo: mapenzi.com