ElasticSearch单机或集群未授权访问漏洞

漏洞处理方法:

1、可以使用系统防火墙

来做限制只允许ES集群和Server节点的IP来访问漏洞节点的9200端口,其他的全部拒绝。

2、在ES节点上设置用户密码

漏洞现象:直接访问9200端口不需要密码验证

修复过程

2.1 生成认证文件

必须要生成认证文件,且ES配置文件里要引用这些生成的认证文件,否则启动ES的时候,日志会报错:Caused by: javax.net.ssl.SSLHandshakeException: No available authentication scheme。
CA 证书

[root@node1 elasticsearch-7.6.2]# su es
[es@node1 elasticsearch-7.6.2]$ ./bin/elasticsearch-certutil ca
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authorityBy default the 'ca' mode produces a single PKCS#12 output file which holds:* The CA certificate* The CA's private keyIf you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private keyPlease enter the desired output file [elastic-stack-ca.p12]: 
Enter password for elastic-stack-ca.p12 :

在这里插入图片描述

2.2 生成p12密钥

使用第一步生成的证书,生成p12秘钥

[es@node1 elasticsearch-7.6.2]$ ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.The 'cert' mode generates X.509 certificate and private keys.* By default, this generates a single certificate and key for useon a single instance.* The '-multiple' option will prompt you to enter details for multipleinstances and will generate a certificate and key for each one* The '-in' option allows for the certificate generation to be automated by describingthe details of each instance in a YAML file* An instance is any piece of the Elastic Stack that requires an SSL certificate.Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beatsmay all require a certificate and private key.* The minimum required value for each instance is a name. This can simply be thehostname, which will be used as the Common Name of the certificate. A fulldistinguished name may also be used.* A filename value may be required for each instance. This is necessary when thename would result in an invalid file or directory name. The name provided hereis used as the directory name (within the zip) and the prefix for the key andcertificate files. The filename is required if you are prompted and the nameis not displayed in the prompt.* IP addresses and DNS names are optional. Multiple values can be specified as acomma separated string. If no IP addresses or DNS names are provided, you maydisable hostname verification in your SSL configuration.* All certificates generated by this tool will be signed by a certificate authority (CA).* The tool can automatically generate a new CA for you, or you can provide your own with the-ca or -ca-cert command line options.By default the 'cert' mode produces a single PKCS#12 output file which holds:* The instance certificate* The private key for the instance certificate* The CA certificateIf you specify any of the following options:* -pem (PEM formatted output)* -keep-ca-key (retain generated CA key)* -multiple (generate multiple certificates)* -in (generate certificates from an input file)
then the output will be be a zip file containing individual certificate/key filesEnter password for CA (elastic-stack-ca.p12) : Please enter the desired output file [elastic-certificates.p12]: 
Enter password for elastic-certificates.p12 : Certificates written to /home/elasticsearch-7.6.2/elastic-certificates.p12This file should be properly secured as it contains the private key for 
your instance.This file is a self contained file and can be copied and used 'as is'
For each Elastic product that you wish to configure, you should copy
this '.p12' file to the relevant configuration directory
and then follow the SSL configuration instructions in the product guide.For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.

在这里插入图片描述

2.3 将p12认证文件copy到其他节点

[es@node1 elasticsearch-7.6.2]$ cd config/
[es@node1 config]$ ll
total 36
-rw-rw---- 1 es es  3284 Dec 14 07:49 elasticsearch.yml
-rw-rw---- 1 es es  2301 Mar 26  2020 jvm.options
-rw-rw---- 1 es es 17545 Mar 26  2020 log4j2.properties
-rw-rw---- 1 es es   473 Mar 26  2020 role_mapping.yml
-rw-rw---- 1 es es   197 Mar 26  2020 roles.yml
-rw-rw---- 1 es es     0 Mar 26  2020 users
-rw-rw---- 1 es es     0 Mar 26  2020 users_roles
[es@node1 config]$ mkdir certs
[es@node1 config]$ cp ../elastic-certificates.p12 certs/
[root@node1 elasticsearch-7.6.2]# scp -r config node2:/home/elasticsearch-7.6.2/
log4j2.properties                                                                                100%   17KB  12.2MB/s   00:00    
users_roles                                                                                      100%    0     0.0KB/s   00:00    
roles.yml                                                                                        100%  197   406.7KB/s   00:00    
users                                                                                            100%    0     0.0KB/s   00:00    
role_mapping.yml                                                                                 100%  473     1.0MB/s   00:00    
elasticsearch.yml                                                                                100% 3284     3.2MB/s   00:00    
jvm.options                                                                                      100% 2301     4.4MB/s   00:00    
elastic-certificates.p12                                                                         100% 3443     3.1MB/s   00:00    
[root@node1 elasticsearch-7.6.2]# scp -r config node3:/home/elasticsearch-7.6.2/
log4j2.properties                                                                                100%   17KB  14.6MB/s   00:00    
users_roles                                                                                      100%    0     0.0KB/s   00:00    
roles.yml                                                                                        100%  197   492.4KB/s   00:00    
users                                                                                            100%    0     0.0KB/s   00:00    
role_mapping.yml                                                                                 100%  473     1.1MB/s   00:00    
elasticsearch.yml                                                                                100% 3284     2.7MB/s   00:00    
jvm.options                                                                                      100% 2301     5.0MB/s   00:00    
elastic-certificates.p12                                                                         100% 3443     3.9MB/s   00:00    
[root@node1 elasticsearch-7.6.2]#

2.4 修改所有ES节点配置文件

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

在这里插入图片描述

2.5 启动集群各节点

[es@node1 elasticsearch-7.6.2]$ ./bin/elasticsearch -d

2.6 自动生成密码

集群也是一台节点生成密码即可

[es@node1 elasticsearch-7.6.2]$ ./bin/elasticsearch-setup-passwords auto
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]yChanged password for user apm_system
PASSWORD apm_system = BY8QVLtnyPiIKQKWB9THChanged password for user kibana
PASSWORD kibana = 4MLTzLOC6LGYHkGw0YuWChanged password for user logstash_system
PASSWORD logstash_system = GatyQw87IIPPs8dNReSfChanged password for user beats_system
PASSWORD beats_system = WsahN3DcIKa4514sxv4nChanged password for user remote_monitoring_user
PASSWORD remote_monitoring_user = KBqzFIkgkxytVpswaJW6Changed password for user elastic
PASSWORD elastic = ltwcC9q77f0yZMV9CPWl[es@node1 elasticsearch-7.6.2]$

在这里插入图片描述

3、验证漏洞是否修复成功

在这里插入图片描述

[es@node1 elasticsearch-7.6.2]$ curl http://192.168.200.167:9200/_cat/indices?pretty  -u elastic

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.hqwc.cn/news/285413.html

如若内容造成侵权/违法违规/事实不符,请联系编程知识网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

oracle sqldeveloper连接mysql中遇到的问题

问题1: Unknown initial character set index ‘255’ received from server.Initial client character 解决: 因为mysql-connector-java的版本与服务器数据库版本(8.0.11)不符合,所以导致连接出错, java架包的版本要与数据库版本…

如何实现TensorFlow自定义算子?

在上一篇文章中 Embedding压缩之基于二进制码的Hash Embedding,提供了二进制码的tensorflow算子源码,那就顺便来讲下tensorflow自定义算子的完整实现过程。 前言 制作过程基于tensorflow官方的custom-op仓库以及官网教程,并且在Ubuntu和Mac…

【算法与数据结构】LeetCode55、45、跳跃游戏 I 、II

文章目录 一、跳跃游戏I二、跳跃游戏II三、完整代码 所有的LeetCode题解索引,可以看这篇文章——【算法和数据结构】LeetCode题解。 一、跳跃游戏I 思路分析:本题目标是根据跳跃数组的元素,判断最终能够到达数组末端。我们引入了一个跳跃范围…

Windows下配置最新ChromeDriver

1、问题 在使用代码调用谷歌浏览器时会出错: from selenium import webdriver driver webdriver.Chrome() SessionNotCreatedException: Message: session not created: This version of ChromeDriver only supports Chrome version 114 Current browser versi…

数据可视化---双Y轴折线图比较

内容导航 类别内容导航机器学习机器学习算法应用场景与评价指标机器学习算法—分类机器学习算法—回归机器学习算法—聚类机器学习算法—异常检测机器学习算法—时间序列数据可视化数据可视化—折线图数据可视化—箱线图数据可视化—柱状图数据可视化—饼图、环形图、雷达图统…

【计算机网络】TCP协议——3. 可靠性策略效率策略

前言 TCP是一种可靠的协议,提供了多种策略来确保数据的可靠性传输。 可靠并不是保证每次发送的数据,对方都一定收到;而是尽最大可能让数据送达目的主机,即使丢包也可以知道丢包。 目录 一. 确认应答和捎带应答机制 二. 超时重…

【Qt之Quick模块】1. 概述及Quick应用程序创建流程

概述 Qt的Quick模块是用于创建现代化、动态和响应式用户界面的工具集。它是基于QML(Qt Meta-Object Language)和JavaScript的。 QML是一种声明性的语言,用于描述用户界面的结构和行为。它使用层叠样式表(CSS)的语法来…

数据库操作习题12.12

考虑如下的人员数据,其中加下划线的是主码,数据库模式由四个关系组成: employee (empname, street, city) works (empname, compname, salary) company(id, compname, city) managers (empname, mgrname) 其中 关系 employee 给出人员的基本信息,包括人员…

python使用ctypes访问Windows原生API

在Windows系统中,C语言编写的动态链接库(DLL)是一种可由多个程序同时使用的代码和数据共享库。DLL文件包含了一些可以被其他程序调用的函数和数据。这些DLL文件通常与应用程序一起发布,并在需要时被加载到内存中,以便应…

CSS常用技巧专题一

文章目录 一、transition和animation的区别1.1、transition1.2、animation 二、两栏布局的实现2.1、利用浮动2.1.1、利用浮动,将左边元素宽度设置为200px,并且设置向左浮动2.1.2、利用浮动,左侧元素设置固定大小,并左浮动 2.2、利…

免费在线markdown语法编辑器

本地用习惯了Typora,但是上传的图片保存在本地,其他电脑想查看必须连本地的图片也拷贝过去。虽然Typora可以用PicGo保存远程的图片,但电脑离线之后看不到图片,不能接受。所以想找一款在线版的编辑器,方便记笔记。 我之…