search-guard in Elasticsearch 2.3 use-vulnerability warning-the black bar safety net

2016-06-23T00:00:00
ID MYHACK58:62201676236
Type myhack58
Reporter 佚名
Modified 2016-06-23T00:00:00

Description

Reference content: http://kibana.logstash.es/content/elasticsearch/auth/searchguard-2.html https://groups.google.com/forum/#! forum/search-guard https://github.com/floragunncom/search-guard This article is based on the following software versions, different versions may have slightly differences: elasticsearch 2.3.3 search-guard 2.3.3 RC1 0x00 background Elasticsearch is based on Lucene to build the open source,distributed,RESTful search engine, widely used in a variety of scenarios, with the continuous development, will inevitably create security problems, some of the harm is relatively large vulnerabilities such as CVE-2 0 1 5-3 3 3 7, CVE-2 0 1 5-5 5 3 to 1. In the face of these vulnerabilities, including 0day threats, as well as multi-service use using the same es cluster, the use of a set of authentication and authorization system is particularly necessary. After es1 generation to generation 2 products, the excessive, the current mainstream solution is the only official shield and open-source search-guard, however, I plant the comparison of the buckle. 0x01 search-guard search-guard updated to 2. x followed by the shield configuration is very similar, compared to 1. x version logic more loosely. searchguard advantages are: Between the nodes via the SSL/TLS transport Support JDK SSL and Open SSL Supports hot-loaded, No need to restart the service Support kibana4 and logstash configuration You can control different user access with different permissions Simple configuration 0x02 installation Install search-guard-ssl

sudo bin/plugin install-b com. floragunn/search-guard-ssl/2.3.3.11 Install search-guard-2

sudo bin/plugin install-b com. floragunn/search-guard-2/2. 3. 3. 0-rc1 0x03 certificate According to their own circumstances to modify the official script to generate the admin certificate, and node certificates, the root certificate, the node certificate and the root certificate placed in the elasticsearch configuration file directory, and the admin certificate and the root certificate into the search-guard configuration file directory tips: the certificate of need for a unified generation 0x04 configure elasticsearch to support ssl elasticsearch. yml add the following configuration:

#######################################################################################

SEARCH GUARD #

Configuration #

#######################################################################################

Add the following properties to your standard elasticsearch. yml

(alongside with the SG SSL settings)

This settings must always be the same on all nodes in the cluster

This defines the DNs (distinguished names) of the certificates

to which admin privileges should be assigned

security. manager. enabled: false searchguard. authcz. admin_dn: - "CN=kirk,OU=client,O=client,l=tEst, C=De"

kirk is administrator, you can modify the

This is optional

Only needed when impersonation is used

Allow DNs (distinguished names) to impersonate as other users

searchguard. authcz. impersonation_dn:

"CN=spock,OU=client,O=client,L=Test,C=DE":

- worf

"cn=webuser,ou=IT,ou=IT,dc=company,dc=com":

- user2

- user1

Auditlog configuration:

searchguard. audit. type: internal_elasticsearch

searchguard. audit. type: external_elasticsearch

searchguard. audit. config. http_endpoints: ['localhost:9 2 0 0','localhost:9 2 0 1','localhost:9 2 0 2']"

searchguard. audit. config. index: auditlog # make sure you secure this index properly

searchguard. audit. config. type: auditlog

searchguard. audit. config. username: auditloguser

searchguard. audit. config. password: auditlogpassword

searchguard. audit. config. enable_ssl: false

searchguard. audit. config. verify_hostnames: false

searchguard. audit. config. enable_ssl_client_auth: false

If Kerberos authentication should be used you have to configure this:

The absolute path or relative path to the config/ directory

to krb5. conf file

searchguard. kerberos. krb5_filepath: '/etc/krb5. conf'

The absolute path or relative path to the config/ directory

to the keytab where the acceptor_principal credentials are stored.

searchguard. kerberos. acceptor_keytab_filepath: 'eskeytab. tab'

#######################################################################################

SEARCH GUARD SSL #

[1] [2] [3] [4] next