Shulou(Shulou.com)06/03 Report--

Elasticsearch3.4.6 security reinforcement

Safety is never something to wait for an accident to pay attention to, it can be said that safety is the first important thing. The technical director, the director of operations, the architect or the front-line engineer should all have safety awareness.

Elasticsearch now has more and more users, and some of them have become the basic services of the company, so the security of data is more important.

Resource download: http://down.51cto.com/data/2446746

1. Basic environment 1.1 basic environment description system: CentOS7.3Elasticsearch:2.4.6192.168.2.142 master node 192.168.2.144 node 1.2 install Elasticsearch

Download the resource and unzip it and install it to / usr/share/elasticsearch

# cd / opt/# unzip elasticsearch-2.4.6.zip Archive: elasticsearch-2.4.6.zip inflating: elasticsearch-2.4.6.rpm# rpm-ivh elasticsearch-2.4.6.rpmrpm-vih elasticsearch-2.4.6.rpm warning: elasticsearch-2.4.6.rpm: Header V4 RSA/SHA1 Signature, key ID d88e42b4: NOKEYPreparing... # # [100%] Creating elasticsearch group... OKUpdating / installing... 1:elasticsearch-2.4.6-1 # # NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd sudo systemctl daemon-reload sudo systemctl enable elasticsearch.service### You can start elasticsearch service by executing sudo systemctl start elasticsearch.service directory: / usr/share/elasticsearch2. Install the security plug-in 2.1 install the compilation plug-in

The plug-in has been compiled and installed. You can decompress and upload it directly.

# mkdir-p / usr/share/elasticsearch/config/# cd / usr/share/elasticsearch/plugins# unzip plugins.zip# to delete # rm-rf plugins.zip# modify configuration file access # vim / etc/elasticsearch/elasticsearch.ymlnetwork.host: 0.0.0.save exit after decompression

2.2 basic package installation # yum install-y gcc gcc+ zlib*#yum install openssl-devel2.3 installation kit

Download the source package: http://down.51cto.com/6228054

# cd / usr/share/elasticsearch# unzip search-guard-ssl-2.4.6.zip2.4 modifies the default configuration # cd / usr/share/elasticsearch/search-guard-ssl-2.4.6/example-pki-scripts/ modifies vim example.shemaking changes vim binhset-e./clean.sh./gen_root_ca.sh elastic elastic./gen_node_cert.sh 1 elastic elastic./gen_node_cert.sh 2 elastic elastic./gen_node_cert. Sh 3 elastic elastic./gen_client_node_cert.sh admin elastic elastic# saves and exits # chmod 777 * .sh# sh example.sh# parameter description:. / gen_root_ca.sh elastic elastic the first parameter is CA_PASS That is, the second parameter of the CA password (root certificate password) is TS_PASS, that is, the TS password (truststore, trust certificate password). / gen_node_cert.sh 1 elastic elastic the first parameter is the node number, the file name after the certificate is node-1*, the second parameter is KS_PASS (keystore file password), the third parameter is CA_PASS./gen_client_node_cert.sh admin elastic elastic, and the first parameter is the client node name. After the certificate is generated, the file name is admin*, the second parameter is KS_PASS, and the third parameter is CA_PASS#. / gen_node_cert.sh sh example.sh Generating a 2048 bit RSA private key... is added to several nodes. . + +.. + + writing new private key to 'ca/root-ca/private/root-ca.key'-Using configuration from etc/root-ca.confCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: May 8 02:20:51 2018 GMT Not After: May 7 02:20:51 2028 GMT Subject: domainComponent = com domainComponent = example organizationName = Example Com Inc. OrganizationalUnitName = Example Com Inc. Root CA commonName = Example Com Inc. Root CA X509v3 extensions: X509v3 Key Usage: critical Certificate Sign CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: 15:D5:36:15:B1:9C:CF:26:3B:58:E1:C0:F5:DA:41:58:45:A4:55:9A X509v3 Authority Key Identifier: keyid:15:D5:36:15:B1:9C:CF:26:3B:58:E1 C0:F5:DA:41:58:45:A4:55:9ACertificate is to be certified until May 7 02:20:51 2028 GMT (3652 days) Write out database with 1 new entriesData Base UpdatedRoot CA generatedGenerating a 2048 bit RSA private key....+++.+++writing new private key to 'ca/signing-ca/private/signing-ca.key'-Using configuration from etc/root-ca.confCheck That the request matches the signatureSignature okCertificate Details: Serial Number: 2 (0x2) Validity Not Before: May 8 02:20:51 2018 GMT Not After: May 7 02:20:51 2028 GMT Subject: domainComponent = com domainComponent = example organizationName = Example Com Inc. OrganizationalUnitName = Example Com Inc. Signing CA commonName = Example Com Inc. Signing CA X509v3 extensions: X509v3 Key Usage: critical Certificate Sign CRL Sign X509v3 Basic Constraints: critical CA:TRUE Pathlen:0 X509v3 Subject Key Identifier: 9F:10:46:5C:96:22:76:FB:4A:97:E3:D2:03:D4:E5:6B:52:24:93:E1 X509v3 Authority Key Identifier: keyid:15:D5:36:15:B1:9C:CF:26:3B:58:E1:C0:F5:DA:41:58:45:A4:55:9ACertificate is To be certified until May 7 02:20:51 2028 GMT (3652 days) Write out database with 1 new entriesData Base UpdatedImport back to keystore (including CA chain) Certificate reply was installed in keystoreEntry for alias admin successfully imported.Import command completed: 1 entries successfully imported 0 entries failed or cancelledMAC verified OKMAC verified OKMAC verified OKAll done for admin

Copy it into config # cd / usr/share/elasticsearch/search-guard-ssl-2.4.6/example-pki-scripts#cp truststore.jks node-1-keystore.jks / usr/share/elasticsearch/config/#cp truststore.jks admin-keystore.jks / usr/share/elasticsearch/plugins/search-guard-2/sgconfig/3. Modify permissions 3.1 modify configuration files and permissions # cd / usr/share/elasticsearch#chmod-R 777. / plugins/search-guard-2/tools/sgadmin.sh#cd plugins/search-guard-2/#chmod-R 777 tools/3.2 add hash value # cd / usr/share/elasticsearch/plugins/search-guard-2/tools#. / hash.sh-p vrv123456.$2a$12 $GKyqoWHek3T505HTwIBPceIwZxROvDQnjEQSds1k2hT4D8rBZqdke# cd / usr/share/elasticsearchvim plugins/search-guard-2/sgconfig/sg_internal _ users.yml copies the string to the corresponding user password location of the sg_internal_users.yml file Remember the prompt to write the original password under the password, there is no guarantee that you will forget it that day. Elastic: hash: $2a$12 $GKyqoWHek3T505HTwIBPceIwZxROvDQnjEQSds1k2hT4D8rBZqdke # password is: vrv123456.

Create a new folder and grant permissions # cd / usr/share/elasticsearch# mkdir-p data# mkdir-p logs# chmod 777 * logs# chmod 777 * data3.4 modify user rights # vim / usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles_mapping.yml # add user rights sg_all_access: users:-admin-adm-elastic

3.5 modify the configuration file elasticsearch.yml

Remember to save the source file

# cd / usr/share/elasticsearch/config# vim elasticsearch.ymlnode.name: node-1node.master: true# path.data: / usr/share/elasticsearch/data## Path to log files:# path.logs: / usr/share/elasticsearch/logs# add #-searchguard config--security.manager.enabled: falsesearchguard.authcz.admin_dn:-"CN=admin OU=client, O=client, L=Test C=DE "#-search guard ssl--#----transport layer SSL-- -searchguard.ssl.transport.enabled: truesearchguard.ssl.transport.keystore_filepath: node-1-keystore.jkssearchguard.ssl.transport.keystore_password: elasticsearchguard.ssl.transport.truststore_filepath: truststore.jkssearchguard.ssl.transport.truststore_password: elasticsearchguard.ssl.transport.enforce_hostname_verification: falsesearchguard.ssl.transport.resolve_hostname: falsesearchguard.ssl.http.enabled: true # set to true browser cannot be accessed Change the test to falsesearchguard.ssl.http.keystore_filepath: node-1-keystore.jkssearchguard.ssl.http.keystore_password: elasticsearchguard.ssl.http.truststore_filepath: truststore.jkssearchguard.ssl.http.truststore_password: elasticsearchguard.allow_all_from_loopback: true4. Verify that node 4.1 initializes security cd / usr/share/elasticsearch/./plugins/search-guard-2/tools/sgadmin.sh\-cd plugins/search-guard-2/sgconfig/\-ks config/node-1-keystore.jks\-ts config/truststore.jks\-kspass elastic\-tspass elastic\-cn elasticsearch\-h 192.168.2.142\-nhnv

4.2 launch elastic# su-elasticsearch# cd / usr/share/elasticsearch/bin#. / elasticsearch-d4.3 verification

Http://192.168.2.142:9200/_plugin/kopf/#!/cluster

Enter user name: elastic password: vrv123456.

5. Multi-node verification 5.1 copy the elastic program to another machine and enter the 142server to upload the program copy to 144. copy the file to the configuration directory and execute # cd / usr/share/elasticsearch/search-guard-ssl-2.4.6/# cd example-pki-scripts/# chmod 777 * # cp on the 144server -rf node-2-keystore.jks truststore.jks / usr/share/elasticsearch/config/cp: overwrite'/ usr/share/elasticsearch/config/truststore.jks'?5.3 gives file permission # cd / usr/share/elasticsearch/config# chmod 777 * 5.4 modify configuration file # cd / usr/share/elasticsearch/config# vim elasticsearch.yml modify content node.name: node-2 # node node.master: falsesearchguard.ssl.transport.keystore_filepath: node-2-keystore.jks # node keystore file Each node is different searchguard.ssl.http.keystore_filepath: node-2-keystore.jks# the rest of the files remain the same wq! Add user # useradd elasticsearch# cd / usr/share/elasticsearch/# chown elasticsearch:elasticsearch plugins/5.6 delete date cache file # cd / usr/share/elasticsearch/# rm-rf data/*5.6 startup service # cd / usr/share/elasticsearch/bin# su elasticsearch$. / elasticsearch-d5.7 verification

Http://192.168.2.142:9200/_plugin/kopf/#!/cluster

Http://192.168.2.144:9200/_plugin/kopf/#!/cluster

Enter user name: elastic password: vrv123456.

6. Security reinforcement 6.1 modify the default name of the cluster vim / usr/share/elasticsearch/config/elasticsearch.ymlcluster.name: ceshi # Cluster name modification 6.2 disable batch deletion of Elasticsearch supports batch deletion of indexes through _ all (all) and wildcard (*). Set: action.destructive_requires_name: true to disable it.

6.3 do not run # cd / usr/share/elasticsearch/bin# su elasticsearch$. / elasticsearch-d as root

Remember not to run Elasticsearch as root. In addition, do not share the same users with other services, and then minimize the permissions of the users.

6.4 enable firewall #! / bin/bashyum install iptables-servicessystemctl enable iptables.servicecat > / etc/sysconfig/iptables

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.