题记
安全事件频发,
2018上半年的群友的讨论:
http://www.safedog.cn/news.html?id=3212
https://www.easyaq.com/news/1184405110.shtml
安全隐患划重点:
1、印度:没有设置Elasticsearch集群安全权限;
2、婚庆网站:Elasticsearch服务器暴露到公网。
3、群友:9200端口映射到外网。
保障Elasticsearch单节点或者集群网络 安全必须提上日程!!
该如何保障Elasticsearch集群的网络安全呢?
1、不要将Elasticsearch暴露到Internet
必须强调这一点。即使在开发和测试中,也没有理由让您的集群暴露于公共IP。
异地联调,外网访问的场景各大公司都存在,但请千万别 “裸奔”。
1.1 防火墙:限制公共端口
限制9200—— 集群对外访问端口
<pre class="prettyprint linenums prettyprinted" style="box-sizing: border-box; margin: 0px; padding: 8px 0px 6px; font-family: consolas, menlo, courier, monospace, "Microsoft Yahei" !important; background: rgb(241, 239, 238); border: 1px solid rgb(226, 226, 226) !important; display: block; border-radius: 0px; overflow-y: auto; color: rgb(80, 97, 109); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 300; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; font-size: 10px; line-height: 12px;">
iptables -A INPUT -i eth0 -p tcp --destination-port 9200 -s {PUBLIC-IP-ADDRESS-HERE} -j DROP- 1
</pre>
限制9300——集群内部通信端口
<pre class="prettyprint linenums prettyprinted" style="box-sizing: border-box; margin: 0px; padding: 8px 0px 6px; font-family: consolas, menlo, courier, monospace, "Microsoft Yahei" !important; background: rgb(241, 239, 238); border: 1px solid rgb(226, 226, 226) !important; display: block; border-radius: 0px; overflow-y: auto; color: rgb(80, 97, 109); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 300; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; font-size: 10px; line-height: 12px;">
iptables -A INPUT -i eth0 -p tcp --destination-port 9300 -s {PUBLIC-IP-ADDRESS-HERE} -j DROP- 1
</pre>
限制5601——kibana访问端口
<pre class="prettyprint linenums prettyprinted" style="box-sizing: border-box; margin: 0px; padding: 8px 0px 6px; font-family: consolas, menlo, courier, monospace, "Microsoft Yahei" !important; background: rgb(241, 239, 238); border: 1px solid rgb(226, 226, 226) !important; display: block; border-radius: 0px; overflow-y: auto; color: rgb(80, 97, 109); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 300; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; font-size: 10px; line-height: 12px;">
iptables -A INPUT -i eth0 -p tcp --destination-port 5601 -s {PUBLIC-IP-ADDRESS-HERE} -j DROP- 1
</pre>
在此之后你可以放松一下! Elasticsearch将无法再从Internet访问。
1.2仅将Elasticsearch端口绑定到内网专有IP地址
将elasticsearch.yml中的配置更改为仅绑定到私有IP地址或将单个节点实例绑定到环回接口:
<pre class="prettyprint linenums prettyprinted" style="box-sizing: border-box; margin: 0px; padding: 8px 0px 6px; font-family: consolas, menlo, courier, monospace, "Microsoft Yahei" !important; background: rgb(241, 239, 238); border: 1px solid rgb(226, 226, 226) !important; display: block; border-radius: 0px; overflow-y: auto; color: rgb(80, 97, 109); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 300; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; font-size: 10px; line-height: 12px;">
network.bind_host: 127.0.0.1- 1
</pre>
1.3在Elasticsearch和客户端服务之间添加专用网络
如果您需要从另一台计算机访问Elasticsearch,请通过VPN或任何其他专用网络连接它们。
在两台机器之间建立安全隧道的快速方法是通过SSH隧道:
<pre class="prettyprint linenums prettyprinted" style="box-sizing: border-box; margin: 0px; padding: 8px 0px 6px; font-family: consolas, menlo, courier, monospace, "Microsoft Yahei" !important; background: rgb(241, 239, 238); border: 1px solid rgb(226, 226, 226) !important; display: block; border-radius: 0px; overflow-y: auto; color: rgb(80, 97, 109); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 300; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; font-size: 10px; line-height: 12px;">
ssh -Nf -L 9200:localhost:9200 user@remote-elasticsearch-server- 1
</pre>
然后,您可以通过SSH隧道从客户端计算机访问Elasticsearch
<pre class="prettyprint linenums prettyprinted" style="box-sizing: border-box; margin: 0px; padding: 8px 0px 6px; font-family: consolas, menlo, courier, monospace, "Microsoft Yahei" !important; background: rgb(241, 239, 238); border: 1px solid rgb(226, 226, 226) !important; display: block; border-radius: 0px; overflow-y: auto; color: rgb(80, 97, 109); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 300; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; font-size: 10px; line-height: 12px;">
curl http://localhost:9200/_search- 1
</pre>
2、使用Nginx进行身份验证和SSL / TLS
有几个开源和免费解决方案提供Elasticsearch访问身份验证,但如果你想要快速和简单的东西,这里是如何使用Nginx自己做
2.1 Nginx 自己生成
步骤1: 生成密码文件
<pre class="prettyprint linenums prettyprinted" style="box-sizing: border-box; margin: 0px; padding: 8px 0px 6px; font-family: consolas, menlo, courier, monospace, "Microsoft Yahei" !important; background: rgb(241, 239, 238); border: 1px solid rgb(226, 226, 226) !important; display: block; border-radius: 0px; overflow-y: auto; color: rgb(80, 97, 109); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 300; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; font-size: 10px; line-height: 12px;">
printf "esuser:$(openssl passwd -crypt MySecret)\n" > /etc/nginx/passwords- 1
</pre>
步骤2:
如果您没有官方证书,则生成自签名SSL证书…
<pre class="prettyprint linenums prettyprinted" style="box-sizing: border-box; margin: 0px; padding: 8px 0px 6px; font-family: consolas, menlo, courier, monospace, "Microsoft Yahei" !important; background: rgb(241, 239, 238); border: 1px solid rgb(226, 226, 226) !important; display: block; border-radius: 0px; overflow-y: auto; color: rgb(80, 97, 109); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 300; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; font-size: 10px; line-height: 12px;">
sudo mkdir /etc/nginx/sslsudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout/etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt- 1
- 2
- 3
- 4
</pre>
步骤3:
使用SSL添加代理配置并激活基本身份验证到/etc/nginx/nginx.conf
(注意我们期望/ etc / nginx / ssl /中的SSL证书和密钥文件)。 例:
<pre class="prettyprint linenums prettyprinted" style="box-sizing: border-box; margin: 0px; padding: 8px 0px 6px; font-family: consolas, menlo, courier, monospace, "Microsoft Yahei" !important; background: rgb(241, 239, 238); border: 1px solid rgb(226, 226, 226) !important; display: block; border-radius: 0px; overflow-y: auto; color: rgb(80, 97, 109); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 300; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; font-size: 10px; line-height: 12px;">
# define proxy upstream to Elasticsearch via loopback interface inhttp {upstream elasticsearch {server 127.0.0.1:9200;}}server {# enable TLSlisten 0.0.0.0:443 ssl;ssl_certificate /etc/nginx/ssl/nginx.crt;ssl_certificate_key /etc/nginx/ssl/nginx.keyssl_protocols TLSv1.2;ssl_prefer_server_ciphers on;ssl_session_timeout 5m;ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";# Proxy for Elasticsearchlocation / {auth_basic "Login";auth_basic_user_file passwords;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header Host $http_host;proxy_set_header X-NginX-Proxy true;# use defined upstream with the name "elasticsearch"proxy_pass http://elasticsearch/;proxy_redirect off;if ($request_method = OPTIONS ) {add_header Access-Control-Allow-Origin "*";add_header Access-Control-Allow-Methods "GET, POST, , PUT, OPTIONS";add_header Access-Control-Allow-Headers "Content-Type,Accept,Authorization, x-requested-with";add_header Access-Control-Allow-Credentials "true";add_header Content-Length 0;add_header Content-Type application/json;return 200;}}- 1
* 2
* 3
* 4
* 5
* 6
* 7
* 8
* 9
* 10
* 11
* 12
* 13
* 14
* 15
* 16
* 17
* 18
* 19
* 20
* 21
* 22
* 23
* 24
* 25
* 26
* 27
* 28
* 29
* 30
* 31
* 32
* 33
* 34
* 35
* 36
* 37
* 38
</pre>
重新启动Nginx并尝试通过访问Elasticsearch
<pre class="prettyprint linenums prettyprinted" style="box-sizing: border-box; margin: 0px; padding: 8px 0px 6px; font-family: consolas, menlo, courier, monospace, "Microsoft Yahei" !important; background: rgb(241, 239, 238); border: 1px solid rgb(226, 226, 226) !important; display: block; border-radius: 0px; overflow-y: auto; color: rgb(80, 97, 109); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 300; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; font-size: 10px; line-height: 12px;">
https://localhost/_search- 1
</pre>
2.2 Elasticsearch官方安全工具xpack
6.3版本之后已经集成在一起发布, 无需额外安装。
但属于收费功能,免费试用1个月。
如果是土豪用户,不妨一买。
2.3 Elasticsearch的第三方安全插件
您可以安装和配置Elasticsearch的几个免费安全插件之一以启用身份验证:
- Github上提供了Elasticsearch的
ReadonlyREST插件。
它提供不同类型的身份验证,从基本到LDAP,以及索引和操作级访问控制。
git地址:https://github.com/sscarduzio/elasticsearch-readonlyrest-plugin - SearchGuard是Elasticsearch的免费安全插件(部分高级功能收费),包括基于角色的访问控制和SSL / TLS加密的节点到节点通信。
每个Elasticsearch集群都可以使用其他企业功能,如LDAP身份验证或JSON Web令牌身份验证。
3、审计和警报
与保存敏感数据的任何类型的系统一样,您必须非常密切地 监控它。
这意味着不仅要监控其各种 指标(其突然变化可能是问题的早期迹象),还要观察其 日志。
许多监控供应商都支持Elasticsearch。应该收集日志并将其实时发送到日志管理服务,其中需要设置 警报以监视任何 异常或可疑活动等。
对指标和日志发出警报意味着您将尽早发现安全漏洞,并采取适当的措施,希望能够防止进一步的损害。
4、备份和恢复数据
Elasticdump是一个非常方便的工具,可以根据Elasticsearch查询备份/恢复或重新索引数据。
要备份完整索引,```Elasticsearch快照API ](https://www.elastic.co/guide/en/elasticsearch/reference/6.5/modules-snapshots.html)``是正确的工具。 快照API提供了创建和恢复整个索引,存储在文件或Amazon S3存储桶中的快照的操作。
我们来看一下Elasticdump和快照备份和恢复的一些示例。
1)安装包含 node package manager的elasticdump包。
<pre class="prettyprint linenums prettyprinted" style="box-sizing: border-box; margin: 0px; padding: 8px 0px 6px; font-family: consolas, menlo, courier, monospace, "Microsoft Yahei" !important; background: rgb(241, 239, 238); border: 1px solid rgb(226, 226, 226) !important; display: block; border-radius: 0px; overflow-y: auto; color: rgb(80, 97, 109); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 300; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; font-size: 10px; line-height: 12px;">
npm i elasticdump -g- 1
</pre>
2)将查询语句备份为zip文件。
<pre class="prettyprint linenums prettyprinted" style="box-sizing: border-box; margin: 0px; padding: 8px 0px 6px; font-family: consolas, menlo, courier, monospace, "Microsoft Yahei" !important; background: rgb(241, 239, 238); border: 1px solid rgb(226, 226, 226) !important; display: block; border-radius: 0px; overflow-y: auto; color: rgb(80, 97, 109); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 300; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; font-size: 10px; line-height: 12px;">
elasticdump --input='http://username:password@localhost:9200/myindex' --searchBody '{"query" : {"range" :{"timestamp" : {"lte": 1483228800000}}}}' --output=$ --limit=1000 | gzip > /backups/myindex.gz- 1
</pre>
3)从zip文件中恢复。
<pre class="prettyprint linenums prettyprinted" style="box-sizing: border-box; margin: 0px; padding: 8px 0px 6px; font-family: consolas, menlo, courier, monospace, "Microsoft Yahei" !important; background: rgb(241, 239, 238); border: 1px solid rgb(226, 226, 226) !important; display: block; border-radius: 0px; overflow-y: auto; color: rgb(80, 97, 109); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 300; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; font-size: 10px; line-height: 12px;">
zcat /backups/myindex.gz | elasticdump --input=$ --output=http://username:password@localhost:9- 1
</pre>
5、使用最新的Elasticsearch版本。
这是一般的最佳实践,因为在旧版本中,版本5.x中存在特定的漏洞。如果您仍在使用1.x或2.x,请务必 禁用动态脚本。 Elasticsearch允许使用脚本来评估自定义表达式,但正如Elastic所记录的那样,使用non-sandboxed 语言可能是一个问题。
当前最新版本6.5.x,新增了space功能,安全+角色划分更增强一步!
参考:
https://logz.io/blog/securing-elasticsearch-clusters/
https://sematext.com/blog/elasticsearch-security-authentication-encryption-backup/
文章转载自阿里云 MVP铭毅,查看原文
