ElasticSearch是一个基于Lucene的搜索服务器。它提供了一个分布式多用户能力的全文搜索引擎,基于RESTful web接口。Elasticsearch是用Java开发的,并作为Apache许可条款下的开放源码发布,是当前流行的企业级搜索引擎。Elasticsearch的增删改查操作全部由http接口完成。由于Elasticsearch授权模块需要付费,所以免费开源的Elasticsearch可能存在未授权访问漏洞。Elasticsearch服务普遍存在一个未授权访问的问题,攻击者通常可以请求一个开放9200或9300的服务器进行恶意攻击
场景一:全部“裸奔”,相信这在国内占据了非常大的比重。 内网部署,不对外提供服务。或者ES作为业务基础支撑,不公网开放9200等常用端口,开放的是业务的服务端口。 可能暴露问题:公司或团队内部开放9200、5601端口,基本head插件、kibana都能连接,极易导致线上索引或数据可能被误删。
场景二:加了简单防护。 一般使用Nginx身份认证+防火墙策略控制。
场景三:整合使用了第三方安全认证方案。 比如:SearchGuard、ReadonlyREST。
场景四:付费购买了Elastic-Xpack黄金版或白金版服务。
参数说明: xpack.security.enabled:表示开启xpack认证机制。 xpack.security.transport.ssl.enabled:这条如果不配,es将起不来,会报如下错误: Transport SSL must be enabled if security is enabled on a [basic] license. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled] to [false]
配置完成,重启ES
ES中内置了几个管理其他集成组件的账号即:apm_system, beats_system, elastic, kibana, logstash_system, remote_monitoring_user
$ /usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user. You will be prompted to enter passwords as the process progresses. Please confirm that you would like to continue [y/N]y Enter password for [elastic]: Reenter password for [elastic]: Enter password for [apm_system]: Reenter password for [apm_system]: Enter password for [kibana]: Reenter password for [kibana]: Enter password for [logstash_system]: Reenter password for [logstash_system]: Enter password for [beats_system]: Reenter password for [beats_system]: Enter password for [remote_monitoring_user]: Reenter password for [remote_monitoring_user]: Changed password for user [apm_system] Changed password for user [kibana] Changed password for user [logstash_system] Changed password for user [beats_system] Changed password for user [remote_monitoring_user] Changed password for user [elastic] 参数说明: interactive:自定义设置密码 auto:自动生成密码 可能出现报错如下: Failed to determine the health of the cluster running at http://192.168.3.42:9200 Unexpected response code [503] from calling GET http://192.168.3.42:9200/_cluster/health?pretty Cause: master_not_discovered_exception It is recommended that you resolve the issues with your cluster before running elasticsearch-setup-passwords. It is very likely that the password changes will fail when run against an unhealthy cluster. Do you want to continue with the password setup process [y/N]y解决:
可能是有脏数据导致,此时可以停掉es,删除 data 数据目录,然后重新启动在进行操作。 配置完毕之后,可以通过如下方式访问es服务:
curl -XGET -u elastic 'localhost:9200/_xpack/security/user?pretty' curl 127.0.0.1:9200 -u elastic开启了安全认证之后,kibana连接es以及访问es都需要认证 变更kibana的配置,一共有两种方法,一种明文的,一种密文的
明文配置 server.port: 5601 server.host: "0.0.0.0" server.name: "es-node1" elasticsearch.hosts: ["http://192.168.3.42:9200"] kibana.index: ".kibana" i18n.locale: "zh-CN" elasticsearch.username: "kibana" elasticsearch.password: "kibana_passwd" xpack.reporting.encryptionKey: "a_random_string" xpack.security.encryptionKey: "something_at_least_32_characters"参数说明: elasticsearch.username:连接es的用户名。 elasticsearch.password:连接es的密码。 xpack.reporting.encryptionKey:如果不添加这条配置,将会报错 Generating a random key for xpack.reporting.encryptionKey. To prevent pending reports from failing on restart, please set xpack.reporting.encryptionKey in kibana.yml。 xpack.security.encryptionKey:如果不配置这条,将会报错 Generating a random key for xpack.security.encryptionKey. To prevent sessions from being invalidated on restart, please set xpack.security.encryptionKey in kibana.yml。
密文配置(推荐) # 认证之前,需要首先将用户名密码保存到内置的ketstore里 /usr/share/kibana/bin/kibana-keystore --allow-root create /usr/share/kibana/bin/kibana-keystore --allow-root add elasticsearch.username /usr/share/kibana/bin/kibana-keystore --allow-root add elasticsearch.password # 修改配置 server.port: 5601 server.host: "0.0.0.0" server.name: "es-node1" elasticsearch.hosts: ["http://192.168.3.42:9200"] kibana.index: ".kibana" i18n.locale: "zh-CN" xpack.reporting.encryptionKey: "a_random_string" xpack.security.encryptionKey: "something_at_least_32_characters" # 重启kibana集群认证需要首先配置秘钥才行,否则在给内置用户创建秘钥的时候将会报错
配置证书 # 其中一个node节点执行即可,生成完证书传到集群其他节点 # 一路回车即可,不需要给秘钥再添加密码 /usr/share/elasticsearch/bin/elasticsearch-certutil ca /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 # 证书创建完成之后,默认在es的数据目录,这里统一放到etc下: $ ls elastic-* elastic-certificates.p12 elastic-stack-ca.p12 mv elastic-* /etc/elasticsearch/ chown elasticsearch.elasticsearch elastic* # 两个证书文件拷贝到其他节点,作为通信依据 配置 # 三台机器配置文件如下: # 除了node.name使用各自主机名之外,其他配置都一样 cluster.name: test-search node.name: es-node-1 path.data: /data/elasticsearch/data path.logs: /data/elasticsearch/log network.host: 0.0.0.0 http.port: 9200 transport.tcp.port: 9300 discovery.seed_hosts: ["192.168.3.3:9300","192.168.3.4:9300","192.168.3.5:9300"] cluster.initial_master_nodes: ["192.168.3.3:9300","192.168.3.4:9300","192.168.3.5:9300"] xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12 # 重启es 创建内置账号添加密码 $ /usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user. You will be prompted to enter passwords as the process progresses. Please confirm that you would like to continue [y/N]y Enter password for [elastic]: Reenter password for [elastic]: Enter password for [apm_system]: Reenter password for [apm_system]: Enter password for [kibana]: Reenter password for [kibana]: Enter password for [logstash_system]: Reenter password for [logstash_system]: Enter password for [beats_system]: Reenter password for [beats_system]: Enter password for [remote_monitoring_user]: Reenter password for [remote_monitoring_user]: Changed password for user [apm_system] Changed password for user [kibana] Changed password for user [logstash_system] Changed password for user [beats_system] Changed password for user [remote_monitoring_user] Changed password for user [elastic] # 配置完毕之后,可以通过如下方式访问es服务: curl -XGET -u elastic 'localhost:9200/_xpack/security/user?pretty' curl 127.0.0.1:9200 -u elastic # 剩下的就是与上边的使用方式一致了,kibana的认证,logstash的认证等等。 # 其中kibana通过密文认证之后,配置如下: server.port: 5601 server.host: "0.0.0.0" server.name: "es-node3" elasticsearch.hosts: ["http://192.168.3.3:9208"] kibana.index: ".kibana" i18n.locale: "zh-CN"