一:设置elasticsearch集群验证功能
#问题描述:
在远程Web服务器上运行的ElasticSearch应用程序由于未能通过身份验证限制资源而受到信息泄漏漏洞的影响。未经验证的远程攻击者可以利用此漏洞从数据库中泄漏敏感信息。
使用curl就可以直接访问es集群 : curl http://xxxx:9200?preatty
#使用X-Pack做认证 es版本是6.8.2
echo "* - nofile 65535" >> /etc/security/limits.conf
echo "vm.max_map_count = 262144" >> /etc/sysctl.conf
sysctl -p
curl http://192.168.105.55:9200/_cat/health?v #查看集群的名字,并且记录下每个节点的名字,后面要用
/data/lasticsearch/bin/elasticsearch-certgen #开始生成证书,在集群中任意一台上操作即可
####################################
Please enter the desired output file [certificate-bundle.zip]: cert.zip (压缩包名称)
Enter instance name: appEsCls(实例名)
Enter name for directories and files [p4mES]: elasticsearch(文件夹名)
Enter IP Addresses for instance (comma-separated if more than one) []: 192.168.105.55,192.168.105.56,192.168.105.57(实例ip,多个ip用逗号隔开)
Enter DNS names for instance (comma-separated if more than one) []: node-1,node-2,node-3(节点名,多个节点用逗号隔开)
Would you like to specify another instance? Press 'y' to continue entering instance information: (到达这一步,不需要按y重新设置,按回车即可
Certificates written to /home/elastic/elasticsearch/bin/cert.zip(这个是生成的文件存放地址,不用填写)
将压缩文件cert.zip分别拷贝纸三台机器的 /data/elasticsearch/config文件夹下并解压,赋予elasticsearch
生成ca和elasticsearch并修改配置文件elasticsearch.yml
cd /data/elasticsearch/config
chown -R elasticsearch:elasticsearch ca
chown -R elasticsearch:elasticsearch elasticsearch
vim /data/elasticsearch/config/elasticsearch.yml
#增加如下配置:
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.ssl.key: elasticsearch/elasticsearch.key
xpack.ssl.certificate: elasticsearch/elasticsearch.crt
xpack.ssl.certificate_authorities: ca/ca.crt
#重启集群所有的es
systemctl restart elasticsearch
#开始设置密码,只需在集群中的一台上操作即可
/data/elasticsearch/bin/elasticsearch-setup-passwords interactive #默认会对logstash,filebeat全部设置密码
curl http://192.168.105.57:9200?pretty #此时访问就报401了
curl -u elastic:123456 http://192.168.105.57:9200 #这样访问即可