ES安全漏洞解决

1、前言

ElasticSearch是一个基于Lucene的搜索服务器。它提供了一个分布式多用户能力的全文搜索引擎，基于RESTful web接口。Elasticsearch是用Java开发的，并作为Apache许可条款下的开放源码发布，是当前流行的企业级搜索引擎。Elasticsearch的增删改查操作全部由http接口完成。由于Elasticsearch授权模块需要付费，所以免费开源的Elasticsearch可能存在未授权访问漏洞。Elasticsearch服务普遍存在一个未授权访问的问题，攻击者通常可以请求一个开放9200或9300的服务器进行恶意攻击

2、安全部分免费之前，大家怎么保证基础安全？

场景一：全部“裸奔”，相信这在国内占据了非常大的比重。
内网部署，不对外提供服务。或者ES作为业务基础支撑，不公网开放9200等常用端口，开放的是业务的服务端口。
可能暴露问题：公司或团队内部开放9200、5601端口，基本head插件、kibana都能连接，极易导致线上索引或数据可能被误删。

场景二：加了简单防护。
一般使用Nginx身份认证+防火墙策略控制。

场景三：整合使用了第三方安全认证方案。
比如：SearchGuard、ReadonlyREST。

场景四：付费购买了Elastic-Xpack黄金版或白金版服务。

3、设置x-pack用户登录授权

• 配置ES

$ cat elasticsearch.yml
cluster.name: eryajf-search
node.name: es-node1
path.data: /data/elasticsearch7/data
path.logs: /data/elasticsearch7/log
network.host: 0.0.0.0
http.port: 9200
xpack.security.enabled: true # 这条配置表示开启xpack认证机制
xpack.security.transport.ssl.enabled: true
cluster.initial_master_nodes: ["es-node1"]

参数说明：
xpack.security.enabled：表示开启xpack认证机制。
xpack.security.transport.ssl.enabled：这条如果不配，es将起不来，会报如下错误:
Transport SSL must be enabled if security is enabled on a [basic] license. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled] to [false]

配置完成，重启ES

4、创建内置账号添加密码

ES中内置了几个管理其他集成组件的账号即：apm_system, beats_system, elastic, kibana, logstash_system, remote_monitoring_user

$ /usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive

Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]

参数说明：
interactive：自定义设置密码
auto：自动生成密码

• 可能出现报错如下：

Failed to determine the health of the cluster running at http://192.168.3.42:9200
Unexpected response code [503] from calling GET http://192.168.3.42:9200/_cluster/health?pretty
Cause: master_not_discovered_exception
It is recommended that you resolve the issues with your cluster before running elasticsearch-setup-passwords.
It is very likely that the password changes will fail when run against an unhealthy cluster.
Do you want to continue with the password setup process [y/N]y

解决：

可能是有脏数据导致，此时可以停掉es，删除 data 数据目录，然后重新启动在进行操作。
配置完毕之后，可以通过如下方式访问es服务：

curl -XGET -u elastic 'localhost:9200/_xpack/security/user?pretty'
curl 127.0.0.1:9200 -u elastic

5、配置kibana

开启了安全认证之后，kibana连接es以及访问es都需要认证
变更kibana的配置，一共有两种方法，一种明文的，一种密文的

• 明文配置

server.port: 5601
server.host: "0.0.0.0"
server.name: "es-node1"
elasticsearch.hosts: ["http://192.168.3.42:9200"]
kibana.index: ".kibana"
i18n.locale: "zh-CN"
elasticsearch.username: "kibana"
elasticsearch.password: "kibana_passwd"
xpack.reporting.encryptionKey: "a_random_string"
xpack.security.encryptionKey: "something_at_least_32_characters"

参数说明：
elasticsearch.username：连接es的用户名。
elasticsearch.password：连接es的密码。
xpack.reporting.encryptionKey：如果不添加这条配置，将会报错 Generating a random key for xpack.reporting.encryptionKey. To prevent pending reports from failing on restart, please set xpack.reporting.encryptionKey in kibana.yml。
xpack.security.encryptionKey：如果不配置这条，将会报错 Generating a random key for xpack.security.encryptionKey. To prevent sessions from being invalidated on restart, please set xpack.security.encryptionKey in kibana.yml。

• 密文配置(推荐)

# 认证之前，需要首先将用户名密码保存到内置的ketstore里
/usr/share/kibana/bin/kibana-keystore --allow-root create
/usr/share/kibana/bin/kibana-keystore --allow-root add elasticsearch.username
/usr/share/kibana/bin/kibana-keystore --allow-root add elasticsearch.password
# 修改配置
server.port: 5601
server.host: "0.0.0.0"
server.name: "es-node1"
elasticsearch.hosts: ["http://192.168.3.42:9200"]
kibana.index: ".kibana"
i18n.locale: "zh-CN"
xpack.reporting.encryptionKey: "a_random_string"
xpack.security.encryptionKey: "something_at_least_32_characters"
# 重启kibana

6、配置logstash

# 在存在的output添加用户密码
$ vim /home/elk/logstash-7.2.1/config/logstash.conf
input {
  beats {
    port => 5044
  }
}
output {
  stdout {
    codec => rubydebug
  }
  elasticsearch {
    hosts => ["192.168.3.42:9200"]
    user => "elastic"
    password => "123456"
  }
}

7、集群配置。

集群认证需要首先配置秘钥才行，否则在给内置用户创建秘钥的时候将会报错

• 配置证书

# 其中一个node节点执行即可，生成完证书传到集群其他节点
# 一路回车即可，不需要给秘钥再添加密码
/usr/share/elasticsearch/bin/elasticsearch-certutil ca
/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12


# 证书创建完成之后，默认在es的数据目录，这里统一放到etc下：
$ ls elastic-*
elastic-certificates.p12  elastic-stack-ca.p12
mv elastic-* /etc/elasticsearch/
chown elasticsearch.elasticsearch elastic*

# 两个证书文件拷贝到其他节点，作为通信依据

• 配置

# 三台机器配置文件如下：
# 除了node.name使用各自主机名之外，其他配置都一样
cluster.name: test-search
node.name: es-node-1
path.data: /data/elasticsearch/data
path.logs: /data/elasticsearch/log
network.host: 0.0.0.0
http.port: 9200
transport.tcp.port: 9300
discovery.seed_hosts: ["192.168.3.3:9300","192.168.3.4:9300","192.168.3.5:9300"]
cluster.initial_master_nodes: ["192.168.3.3:9300","192.168.3.4:9300","192.168.3.5:9300"]
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12

# 重启es

• 创建内置账号添加密码

$ /usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive

Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]

# 配置完毕之后，可以通过如下方式访问es服务：
curl -XGET -u elastic 'localhost:9200/_xpack/security/user?pretty'
curl 127.0.0.1:9200 -u elastic

# 剩下的就是与上边的使用方式一致了，kibana的认证，logstash的认证等等。

# 其中kibana通过密文认证之后，配置如下：
server.port: 5601
server.host: "0.0.0.0"
server.name: "es-node3"
elasticsearch.hosts: ["http://192.168.3.3:9208"]
kibana.index: ".kibana"
i18n.locale: "zh-CN"