亚洲激情专区-91九色丨porny丨老师-久久久久久久女国产乱让韩-国产精品午夜小视频观看

溫馨提示×

溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊×
其他方式登錄
點擊 登錄注冊 即表示同意《億速云用戶服務條款》

elasticsearch如何安全加固?

發布時間:2020-07-20 14:42:35 來源:網絡 閱讀:12264 作者:cs312779641 欄目:大數據

elasticsearch3.4.6安全加固

安全從來不是等到出事才要注意的事情,可以說安全是第一重要的事情。技術總監、運維總監、架構師還是一線工程師,都應該有安全意識。
Elasticsearch 的用戶現在越來越多,有些更加已經成為公司的基礎服務,所以數據的安全更為重要。

資源下載:http://down.51cto.com/data/2446746

elasticsearch如何安全加固?

1.基礎環境

1.1基礎環境說明

系統:CentOS7.3
Elasticsearch:2.4.6
192.168.2.142  主節點
192.168.2.144  節點

1.2安裝Elasticsearch

下載資源然后解壓安裝到/usr/share/elasticsearch

# cd /opt/
# unzip elasticsearch-2.4.6.zip 
Archive:  elasticsearch-2.4.6.zip
  inflating: elasticsearch-2.4.6.rpm
# rpm -ivh elasticsearch-2.4.6.rpm
rpm -vih elasticsearch-2.4.6.rpm 
warning: elasticsearch-2.4.6.rpm: Header V4 RSA/SHA1 Signature, key ID d88e42b4: NOKEY
Preparing...                          ################################# [100%]
Creating elasticsearch group... OK
Updating / installing...
   1:elasticsearch-2.4.6-1            ################################# [100%]
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
 sudo systemctl daemon-reload
 sudo systemctl enable elasticsearch.service
### You can start elasticsearch service by executing
 sudo systemctl start elasticsearch.service

目錄:/usr/share/elasticsearch

2.安裝安全插件

2.1安裝編譯插件

插件已經編譯安裝完成,直接解壓上傳即可

# mkdir -p /usr/share/elasticsearch/config/
# cd /usr/share/elasticsearch/plugins
# unzip plugins.zip
#解壓后要刪除
# rm -rf plugins.zip

#修改配置文件訪問
# vim /etc/elasticsearch/elasticsearch.yml
network.host: 0.0.0.0
#保存退出

elasticsearch如何安全加固?
elasticsearch如何安全加固?

2.2基礎包安裝

#yum install -y gcc gcc+ zlib*
#yum install openssl-devel

2.3安裝工具包

下載源碼包:http://down.51cto.com/6228054

# cd /usr/share/elasticsearch
# unzip search-guard-ssl-2.4.6.zip

2.4修改默認配置

# cd /usr/share/elasticsearch/search-guard-ssl-2.4.6/example-pki-scripts/
修改vim example.sh
#!/bin/bash
set -e
./clean.sh
./gen_root_ca.sh elastic elastic
./gen_node_cert.sh 1 elastic elastic
./gen_node_cert.sh 2 elastic elastic
./gen_node_cert.sh 3 elastic elastic
./gen_client_node_cert.sh admin elastic elastic
#保存并退出

# chmod 777 *.sh
# sh example.sh

#參數說明:
./gen_root_ca.sh elastic elastic
第一個參數為CA_PASS,即CA密碼(根證書密碼)
第二個參數為TS_PASS,即TS密碼(truststore,信任證書密碼)
./gen_node_cert.sh 1 elastic elastic
第一個參數為node編號,生成證書后的文件名為node-1*
第二個參數為KS_PASS(keystore文件密碼)
第三個參數為CA_PASS
./gen_client_node_cert.sh admin elastic elastic
第一個參數為客戶端節點名稱,生成證書后的文件名為admin*
第二個參數為KS_PASS
第三個參數為CA_PASS
#有幾個節點就添加幾個./gen_node_cert.sh 

sh example.sh 
Generating a 2048 bit RSA private key
....................................................................+++
........................................+++
writing new private key to 'ca/root-ca/private/root-ca.key'
-----
Using configuration from etc/root-ca.conf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: May  8 02:20:51 2018 GMT
            Not After : May  7 02:20:51 2028 GMT
        Subject:
            domainComponent           = com
            domainComponent           = example
            organizationName          = Example Com Inc.
            organizationalUnitName    = Example Com Inc. Root CA
            commonName                = Example Com Inc. Root CA
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                15:D5:36:15:B1:9C:CF:26:3B:58:E1:C0:F5:DA:41:58:45:A4:55:9A
            X509v3 Authority Key Identifier: 
                keyid:15:D5:36:15:B1:9C:CF:26:3B:58:E1:C0:F5:DA:41:58:45:A4:55:9A

Certificate is to be certified until May  7 02:20:51 2028 GMT (3652 days)

Write out database with 1 new entries
Data Base Updated
Root CA generated
Generating a 2048 bit RSA private key
........................+++
.......+++
writing new private key to 'ca/signing-ca/private/signing-ca.key'
-----
Using configuration from etc/root-ca.conf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: May  8 02:20:51 2018 GMT
            Not After : May  7 02:20:51 2028 GMT
        Subject:
            domainComponent           = com
            domainComponent           = example
            organizationName          = Example Com Inc.
            organizationalUnitName    = Example Com Inc. Signing CA
            commonName                = Example Com Inc. Signing CA
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Subject Key Identifier: 
                9F:10:46:5C:96:22:76:FB:4A:97:E3:D2:03:D4:E5:6B:52:24:93:E1
            X509v3 Authority Key Identifier: 
                keyid:15:D5:36:15:B1:9C:CF:26:3B:58:E1:C0:F5:DA:41:58:45:A4:55:9A

Certificate is to be certified until May  7 02:20:51 2028 GMT (3652 days)
Write out database with 1 new entries
Data Base Updated
Import back to keystore (including CA chain)
Certificate reply was installed in keystore
Entry for alias admin successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
MAC verified OK
MAC verified OK
MAC verified OK
All done for admin

elasticsearch如何安全加固?
elasticsearch如何安全加固?

2.5復制到config里面

#cd /usr/share/elasticsearch/search-guard-ssl-2.4.6/example-pki-scripts
#cp truststore.jks node-1-keystore.jks /usr/share/elasticsearch/config/
#cp truststore.jks admin-keystore.jks /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/

3.修改權限

3.1修改配置文件及權限

#cd /usr/share/elasticsearch
#chmod -R 777 ./plugins/search-guard-2/tools/sgadmin.sh
#cd plugins/search-guard-2/
#chmod -R 777 tools/

3.2添加hash值

# cd /usr/share/elasticsearch/plugins/search-guard-2/tools
# ./hash.sh  -p vrv123456.
$2a$12$GKyqoWHek3T505HTwIBPceIwZxROvDQnjEQSds1k2hT4D8rBZqdke
# cd /usr/share/elasticsearch
vim plugins/search-guard-2/sgconfig/sg_internal_users.yml
將字符串復制到sg_internal_users.yml文件的對應用戶密碼位置,在密碼下面記得寫入原密碼的提示,難保你那天忘記了。
elastic:
  hash: $2a$12$GKyqoWHek3T505HTwIBPceIwZxROvDQnjEQSds1k2hT4D8rBZqdke
  #password is: vrv123456.

elasticsearch如何安全加固?

3.3新建文件夾并賦予權限

# cd /usr/share/elasticsearch
# mkdir -p data
# mkdir -p logs
# chmod 777 * logs
# chmod 777 * data

3.4修改用戶權限

# vim /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles_mapping.yml 
 #添加用戶權限 
sg_all_access:
  users:
    - admin
    - adm
    - elastic

elasticsearch如何安全加固?

3.5修改配置文件elasticsearch.yml

記得把源文件保存

# cd /usr/share/elasticsearch/config
# vim elasticsearch.yml
node.name: node-1
node.master: true
#
 path.data: /usr/share/elasticsearch/data
#
# Path to log files:
#
 path.logs: /usr/share/elasticsearch/logs
#添加
#-------------------search guard config--------------------------
security.manager.enabled: false
searchguard.authcz.admin_dn: -"CN=admin, OU=client, O=client, L=Test, C=DE"

#-------------------search guard ssl----------------------------------------
#------------------------transport layer SSL------------------------------------
searchguard.ssl.transport.enabled: true
searchguard.ssl.transport.keystore_filepath: node-1-keystore.jks
searchguard.ssl.transport.keystore_password: elastic
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: elastic
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true       #設置成true瀏覽器也無法訪問,測試請改為false
searchguard.ssl.http.keystore_filepath: node-1-keystore.jks
searchguard.ssl.http.keystore_password: elastic
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.truststore_password: elastic
searchguard.allow_all_from_loopback: true

4.驗證節點

4.1初始化安全

cd /usr/share/elasticsearch/
./plugins/search-guard-2/tools/sgadmin.sh  \
-cd plugins/search-guard-2/sgconfig/ \
-ks config/node-1-keystore.jks \
-ts config/truststore.jks  \
-kspass elastic \
-tspass elastic \
-cn elasticsearch \
-h 192.168.2.142 \
-nhnv

elasticsearch如何安全加固?

4.2啟動elastic

# su - elasticsearch
# cd /usr/share/elasticsearch/bin
# ./elasticsearch -d

4.3驗證

http://192.168.2.142:9200/_plugin/kopf/#!/cluster
elasticsearch如何安全加固?

輸入用戶名:elastic 密碼:vrv123456.
elasticsearch如何安全加固?

5.多節點驗證

5.1 復制elastic程序到別的機器上

進入142服務器 把程序復制上傳到144上
# cd /usr/share/
# scp -r elasticsearch/ root@192.168.2.144:/usr/share/

5.2復制文件到配置目錄里

在144服務器上執行
# cd /usr/share/elasticsearch/search-guard-ssl-2.4.6/
# cd example-pki-scripts/
# chmod 777 *
# cp -rf node-2-keystore.jks truststore.jks /usr/share/elasticsearch/config/
cp: overwrite ‘/usr/share/elasticsearch/config/truststore.jks’?

5.3賦予文件權限

# cd /usr/share/elasticsearch/config
# chmod 777 *

5.4修改配置文件

# cd /usr/share/elasticsearch/config
# vim elasticsearch.yml
修改內容
node.name: node-2  #節點
node.master: false
searchguard.ssl.transport.keystore_filepath: node-2-keystore.jks    #節點keystore文件,每個節點都不一樣
searchguard.ssl.http.keystore_filepath: node-2-keystore.jks
#其余文件不變
wq!
保存退出

5.5添加用戶

# useradd elasticsearch
# cd /usr/share/elasticsearch/
# chown elasticsearch:elasticsearch plugins/

5.6刪除date緩存文件

# cd /usr/share/elasticsearch/
# rm -rf data/*

5.6啟動服務

# cd /usr/share/elasticsearch/bin
# su elasticsearch
$ ./elasticsearch -d

5.7驗證

http://192.168.2.142:9200/_plugin/kopf/#!/cluster
elasticsearch如何安全加固?
http://192.168.2.144:9200/_plugin/kopf/#!/cluster
elasticsearch如何安全加固?
輸入用戶名:elastic 密碼:vrv123456.
elasticsearch如何安全加固?
elasticsearch如何安全加固?

6.安全加固

6.1 修改集群默認名字

vim /usr/share/elasticsearch/config/elasticsearch.yml
cluster.name: ceshi   #集群名字修改

6.2 禁用批量刪除

Elasticsearch 支持通過 _all(全部)和通配符(*)來批量刪除索引。
設置: action.destructive_requires_name: true 來禁用它。

elasticsearch如何安全加固?

6.3 不要以root身份去運行

# cd /usr/share/elasticsearch/bin
# su elasticsearch
$ ./elasticsearch -d

記住一定不要以 root 身份來運行 Elasticsearch。另外,不要和其他的服務公用相同的用戶,然后還要把用戶的權限最小化。

6.4 開啟防火墻

#!/bin/bash
yum install iptables-services
systemctl enable iptables.service

cat> /etc/sysconfig/iptables<<EOF
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 50070 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8088 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 19888 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 45454 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 6188 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8042 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3000 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 16010 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 11000 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 18080 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9200 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 6188 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
EOF
service iptables restart

7.總結

1.首先,請開啟防火墻,并設置防火墻規則為只開啟必備的端口。完成之后,使用掃描工具掃描服務器,檢查端口開發情況。
2.如果可能,不要用密碼的方法來遠程登錄服務器,盡可能使用公私鑰的方式來 SSH 登錄服務器。如果只能使用密碼,請妥善保管好你的用戶名和密碼,禁用 root 用戶,不用使用弱密碼。
3.關注 Java 最新的漏洞,使用安全的 JVM 運行。
4.注意服務器及時更新最新的軟件,使用安全的 repo 軟件源。綁定軟件源的 HOST 和 IP,避免 DNS 污染造成的,關注服務器軟件漏洞,及時打上補丁。
5.收集系統日志和安裝相應的
檢測軟件,及時發現服務器是否有異常行為。

8.參考

http://www.elastic.co/cn/blog/reinforce-the-security-of-elasticsearch-101

9.后續預告

實戰到此結束。后續再更新knox安全配置實戰。

向AI問一下細節

免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。

AI

塔河县| 吴桥县| 新安县| 昌都县| 磐石市| 长武县| 九台市| 涿州市| 海丰县| 深州市| 岳西县| 益阳市| 黄浦区| 怀仁县| 宣化县| 德州市| 井研县| 应用必备| 葫芦岛市| 民权县| 遂溪县| 贺兰县| 临江市| 孝感市| 灯塔市| 定结县| 呼玛县| 兴海县| 长汀县| 台东市| 仙居县| 寿宁县| 从化市| 邓州市| 鸡泽县| 靖安县| 新疆| 塔城市| 南投县| 视频| 永州市|