elasticsearch2.4.6安全加固

安全从来不是等到出事才要注意的事情，可以说安全是第一重要的事情。技术总监、运维总监、架构师还是一线工程师，都应该有安全意识。

Elasticsearch 的用户现在越来越多，有些更加已经成为公司的基础服务，所以数据的安全更为重要。

资源下载：

1.基础环境

1.1基础环境说明

系统：CentOS7.3Elasticsearch：2.4.6192.168.2.142  主节点192.168.2.144  节点

1.2安装Elasticsearch

下载资源然后解压安装到/usr/share/elasticsearch

# cd /opt/# unzip elasticsearch-2.4.6.zip Archive:  elasticsearch-2.4.6.zip  inflating: elasticsearch-2.4.6.rpm# rpm -ivh elasticsearch-2.4.6.rpmrpm -vih elasticsearch-2.4.6.rpm warning: elasticsearch-2.4.6.rpm: Header V4 RSA/SHA1 Signature, key ID d88e42b4: NOKEYPreparing...                          ################################# [100%]Creating elasticsearch group... OKUpdating / installing...   1:elasticsearch-2.4.6-1            ################################# [100%]### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd sudo systemctl daemon-reload sudo systemctl enable elasticsearch.service### You can start elasticsearch service by executing sudo systemctl start elasticsearch.service目录：/usr/share/elasticsearch

2.安装安全插件

2.1安装编译插件

插件已经编译安装完成，直接解压上传即可

# mkdir -p /usr/share/elasticsearch/config/# cd /usr/share/elasticsearch/plugins# unzip plugins.zip#解压后要删除# rm -rf plugins.zip#修改配置文件访问# vim /etc/elasticsearch/elasticsearch.ymlnetwork.host: 0.0.0.0#保存退出

2.2基础包安装

#yum install -y gcc gcc+ zlib*#yum install openssl-devel

2.3安装工具包

下载源码包：

# cd /usr/share/elasticsearch# unzip search-guard-ssl-2.4.6.zip

2.4修改默认配置

# cd /usr/share/elasticsearch/search-guard-ssl-2.4.6/example-pki-scripts/修改vim example.sh#!/bin/bashset -e./clean.sh./gen_root_ca.sh elastic elastic./gen_node_cert.sh 1 elastic elastic./gen_node_cert.sh 2 elastic elastic./gen_node_cert.sh 3 elastic elastic./gen_client_node_cert.sh admin elastic elastic#保存并退出# chmod 777 *.sh# sh example.sh#参数说明：./gen_root_ca.sh elastic elastic第一个参数为CA_PASS，即CA密码（根证书密码）第二个参数为TS_PASS，即TS密码（truststore，信任证书密码）./gen_node_cert.sh 1 elastic elastic第一个参数为node编号，生成证书后的文件名为node-1*第二个参数为KS_PASS（keystore文件密码）第三个参数为CA_PASS./gen_client_node_cert.sh admin elastic elastic第一个参数为客户端节点名称，生成证书后的文件名为admin*第二个参数为KS_PASS第三个参数为CA_PASS#有几个节点就添加几个./gen_node_cert.sh sh example.sh Generating a 2048 bit RSA private key....................................................................+++........................................+++writing new private key to 'ca/root-ca/private/root-ca.key'-----Using configuration from etc/root-ca.confCheck that the request matches the signatureSignature okCertificate Details:        Serial Number: 1 (0x1)        Validity            Not Before: May  8 02:20:51 2018 GMT            Not After : May  7 02:20:51 2028 GMT        Subject:            domainComponent           = com            domainComponent           = example            organizationName          = Example Com Inc.            organizationalUnitName    = Example Com Inc. Root CA            commonName                = Example Com Inc. Root CA        X509v3 extensions:            X509v3 Key Usage: critical                Certificate Sign, CRL Sign            X509v3 Basic Constraints: critical                CA:TRUE            X509v3 Subject Key Identifier:                 15:D5:36:15:B1:9C:CF:26:3B:58:E1:C0:F5:DA:41:58:45:A4:55:9A            X509v3 Authority Key Identifier:                 keyid:15:D5:36:15:B1:9C:CF:26:3B:58:E1:C0:F5:DA:41:58:45:A4:55:9ACertificate is to be certified until May  7 02:20:51 2028 GMT (3652 days)Write out database with 1 new entriesData Base UpdatedRoot CA generatedGenerating a 2048 bit RSA private key........................+++.......+++writing new private key to 'ca/signing-ca/private/signing-ca.key'-----Using configuration from etc/root-ca.confCheck that the request matches the signatureSignature okCertificate Details:        Serial Number: 2 (0x2)        Validity            Not Before: May  8 02:20:51 2018 GMT            Not After : May  7 02:20:51 2028 GMT        Subject:            domainComponent           = com            domainComponent           = example            organizationName          = Example Com Inc.            organizationalUnitName    = Example Com Inc. Signing CA            commonName                = Example Com Inc. Signing CA        X509v3 extensions:            X509v3 Key Usage: critical                Certificate Sign, CRL Sign            X509v3 Basic Constraints: critical                CA:TRUE, pathlen:0            X509v3 Subject Key Identifier:                 9F:10:46:5C:96:22:76:FB:4A:97:E3:D2:03:D4:E5:6B:52:24:93:E1            X509v3 Authority Key Identifier:                 keyid:15:D5:36:15:B1:9C:CF:26:3B:58:E1:C0:F5:DA:41:58:45:A4:55:9ACertificate is to be certified until May  7 02:20:51 2028 GMT (3652 days)Write out database with 1 new entriesData Base UpdatedImport back to keystore (including CA chain)Certificate reply was installed in keystoreEntry for alias admin successfully imported.Import command completed:  1 entries successfully imported, 0 entries failed or cancelledMAC verified OKMAC verified OKMAC verified OKAll done for admin

2.5复制到config里面

#cd /usr/share/elasticsearch/search-guard-ssl-2.4.6/example-pki-scripts#cp truststore.jks node-1-keystore.jks /usr/share/elasticsearch/config/#cp truststore.jks admin-keystore.jks /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/

3.修改权限

3.1修改配置文件及权限

#cd /usr/share/elasticsearch#chmod -R 777 ./plugins/search-guard-2/tools/sgadmin.sh#cd plugins/search-guard-2/#chmod -R 777 tools/

3.2添加hash值

# cd /usr/share/elasticsearch/plugins/search-guard-2/tools# ./hash.sh  -p vrv123456.$2a$12$GKyqoWHek3T505HTwIBPceIwZxROvDQnjEQSds1k2hT4D8rBZqdke# cd /usr/share/elasticsearchvim plugins/search-guard-2/sgconfig/sg_internal_users.yml将字符串复制到sg_internal_users.yml文件的对应用户密码位置，在密码下面记得写入原密码的提示，难保你那天忘记了。elastic:  hash: $2a$12$GKyqoWHek3T505HTwIBPceIwZxROvDQnjEQSds1k2hT4D8rBZqdke  #password is: vrv123456.

3.3新建文件夹并赋予权限

# cd /usr/share/elasticsearch# mkdir -p data# mkdir -p logs# chmod 777 * logs# chmod 777 * data

3.4修改用户权限

# vim /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles_mapping.yml  #添加用户权限 sg_all_access:  users:    - admin    - adm    - elastic

3.5修改配置文件elasticsearch.yml

记得把源文件保存

# cd /usr/share/elasticsearch/config# vim elasticsearch.ymlnode.name: node-1node.master: true# path.data: /usr/share/elasticsearch/data## Path to log files:# path.logs: /usr/share/elasticsearch/logs#添加#-------------------search guard config--------------------------security.manager.enabled: falsesearchguard.authcz.admin_dn: -"CN=admin, OU=client, O=client, L=Test, C=DE"#-------------------search guard ssl----------------------------------------#------------------------transport layer SSL------------------------------------searchguard.ssl.transport.enabled: truesearchguard.ssl.transport.keystore_filepath: node-1-keystore.jkssearchguard.ssl.transport.keystore_password: elasticsearchguard.ssl.transport.truststore_filepath: truststore.jkssearchguard.ssl.transport.truststore_password: elasticsearchguard.ssl.transport.enforce_hostname_verification: falsesearchguard.ssl.transport.resolve_hostname: falsesearchguard.ssl.http.enabled: true       #设置成true浏览器也无法访问，测试请改为falsesearchguard.ssl.http.keystore_filepath: node-1-keystore.jkssearchguard.ssl.http.keystore_password: elasticsearchguard.ssl.http.truststore_filepath: truststore.jkssearchguard.ssl.http.truststore_password: elasticsearchguard.allow_all_from_loopback: true

4.验证节点

4.1初始化安全

cd /usr/share/elasticsearch/./plugins/search-guard-2/tools/sgadmin.sh  \-cd plugins/search-guard-2/sgconfig/ \-ks config/node-1-keystore.jks \-ts config/truststore.jks  \-kspass elastic \-tspass elastic \-cn elasticsearch \-h 192.168.2.142 \-nhnv

4.2启动elastic

# su - elasticsearch# cd /usr/share/elasticsearch/bin# ./elasticsearch -d

4.3验证

输入用户名：elastic 密码：vrv123456.

5.多节点验证

5.1 复制elastic程序到别的机器上

进入142服务器 把程序复制上传到144上# cd /usr/share/# scp -r elasticsearch/ root@192.168.2.144:/usr/share/

5.2复制文件到配置目录里

在144服务器上执行# cd /usr/share/elasticsearch/search-guard-ssl-2.4.6/# cd example-pki-scripts/# chmod 777 *# cp -rf node-2-keystore.jks truststore.jks /usr/share/elasticsearch/config/cp: overwrite ‘/usr/share/elasticsearch/config/truststore.jks’?

5.3赋予文件权限

# cd /usr/share/elasticsearch/config# chmod 777 *

5.4修改配置文件

# cd /usr/share/elasticsearch/config# vim elasticsearch.yml修改内容node.name: node-2  #节点node.master: falsesearchguard.ssl.transport.keystore_filepath: node-2-keystore.jks    #节点keystore文件，每个节点都不一样searchguard.ssl.http.keystore_filepath: node-2-keystore.jks#其余文件不变wq!保存退出

5.5添加用户

# useradd elasticsearch# cd /usr/share/elasticsearch/# chown elasticsearch:elasticsearch plugins/

5.6删除date缓存文件

# cd /usr/share/elasticsearch/# rm -rf data/*

5.6启动服务

# cd /usr/share/elasticsearch/bin# su elasticsearch$ ./elasticsearch -d

5.7验证

输入用户名：elastic 密码：vrv123456.

6.安全加固

6.1 修改集群默认名字

vim /usr/share/elasticsearch/config/elasticsearch.ymlcluster.name: ceshi   #集群名字修改

6.2 禁用批量删除

Elasticsearch 支持通过 _all（全部）和通配符（*）来批量删除索引。设置： action.destructive_requires_name: true 来禁用它。

6.3 不要以root身份去运行

# cd /usr/share/elasticsearch/bin# su elasticsearch$ ./elasticsearch -d

记住一定不要以 root 身份来运行 Elasticsearch。另外，不要和其他的服务公用相同的用户，然后还要把用户的权限最小化。

6.4 开启防火墙

#!/bin/bashyum install iptables-servicessystemctl enable iptables.servicecat> /etc/sysconfig/iptables<

7.总结

1.首先，请开启防火墙，并设置防火墙规则为只开启必备的端口。完成之后，使用扫描工具扫描服务器，检查端口开发情况。

2.如果可能，不要用密码的方法来远程登录服务器，尽可能使用公私钥的方式来 SSH 登录服务器。如果只能使用密码，请妥善保管好你的用户名和密码，禁用 root 用户，不用使用弱密码。3.关注 Java 最新的漏洞，使用安全的 JVM 运行。4.注意服务器及时更新最新的软件，使用安全的 repo 软件源。绑定软件源的 HOST 和 IP，避免 DNS 污染造成的，关注服务器软件漏洞，及时打上补丁。

5.收集系统日志和安装相应的检测软件，及时发现服务器是否有异常行为。

8.参考

9.后续预告

实战到此结束。后续再更新knox安全配置实战。