IT评测·应用市场-qidao123.com技术社区

标题: ElasticSearch单机或集群未授权访问漏洞 [打印本页]

---

作者: 乌市泽哥    时间: 2024-7-20 05:07
标题: ElasticSearch单机或集群未授权访问漏洞
漏洞处理方法：

1、可以使用体系防火墙

来做限定只答应ES集群和Server节点的IP来访问漏洞节点的9200端口，其他的全部拒绝。
2、在ES节点上设置用户密码

漏洞征象：直接访问9200端口不需要密码验证
修复过程

2.1 生成认证文件

必须要生成认证文件，且ES配置文件里要引用这些生成的认证文件，否则启动ES的时间，日记会报错：Caused by: javax.net.ssl.SSLHandshakeException: No available authentication scheme。
CA 证书

1. [root@node1 elasticsearch-7.6.2]# su es
2. [es@node1 elasticsearch-7.6.2]$ ./bin/elasticsearch-certutil ca
3. This tool assists you in the generation of X.509 certificates and certificate
4. signing requests for use with SSL/TLS in the Elastic stack.
6. The 'ca' mode generates a new 'certificate authority'
7. This will create a new X.509 certificate and private key that can be used
8. to sign certificate when running in 'cert' mode.
10. Use the 'ca-dn' option if you wish to configure the 'distinguished name'
11. of the certificate authority
13. By default the 'ca' mode produces a single PKCS#12 output file which holds:
14.     * The CA certificate
15.     * The CA's private key
17. If you elect to generate PEM format certificates (the -pem option), then the output will
18. be a zip file containing individual files for the CA certificate and private key
20. Please enter the desired output file [elastic-stack-ca.p12]:
21. Enter password for elastic-stack-ca.p12 :

复制代码

2.2 生成p12密钥

使用第一步生成的证书，生成p12秘钥

1. [es@node1 elasticsearch-7.6.2]$ ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
2. This tool assists you in the generation of X.509 certificates and certificate
3. signing requests for use with SSL/TLS in the Elastic stack.
5. The 'cert' mode generates X.509 certificate and private keys.
6.     * By default, this generates a single certificate and key for use
7.        on a single instance.
8.     * The '-multiple' option will prompt you to enter details for multiple
9.        instances and will generate a certificate and key for each one
10.     * The '-in' option allows for the certificate generation to be automated by describing
11.        the details of each instance in a YAML file
13.     * An instance is any piece of the Elastic Stack that requires an SSL certificate.
14.       Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
15.       may all require a certificate and private key.
16.     * The minimum required value for each instance is a name. This can simply be the
17.       hostname, which will be used as the Common Name of the certificate. A full
18.       distinguished name may also be used.
19.     * A filename value may be required for each instance. This is necessary when the
20.       name would result in an invalid file or directory name. The name provided here
21.       is used as the directory name (within the zip) and the prefix for the key and
22.       certificate files. The filename is required if you are prompted and the name
23.       is not displayed in the prompt.
24.     * IP addresses and DNS names are optional. Multiple values can be specified as a
25.       comma separated string. If no IP addresses or DNS names are provided, you may
26.       disable hostname verification in your SSL configuration.
28.     * All certificates generated by this tool will be signed by a certificate authority (CA).
29.     * The tool can automatically generate a new CA for you, or you can provide your own with the
30.          -ca or -ca-cert command line options.
32. By default the 'cert' mode produces a single PKCS#12 output file which holds:
33.     * The instance certificate
34.     * The private key for the instance certificate
35.     * The CA certificate
37. If you specify any of the following options:
38.     * -pem (PEM formatted output)
39.     * -keep-ca-key (retain generated CA key)
40.     * -multiple (generate multiple certificates)
41.     * -in (generate certificates from an input file)
42. then the output will be be a zip file containing individual certificate/key files
44. Enter password for CA (elastic-stack-ca.p12) :
46. Please enter the desired output file [elastic-certificates.p12]:
47. Enter password for elastic-certificates.p12 :
49. Certificates written to /home/elasticsearch-7.6.2/elastic-certificates.p12
51. This file should be properly secured as it contains the private key for
52. your instance.
54. This file is a self contained file and can be copied and used 'as is'
55. For each Elastic product that you wish to configure, you should copy
56. this '.p12' file to the relevant configuration directory
57. and then follow the SSL configuration instructions in the product guide.
59. For client applications, you may only need to copy the CA certificate and
60. configure the client to trust this certificate.

复制代码

2.3 将p12认证文件copy到其他节点

1. [es@node1 elasticsearch-7.6.2]$ cd config/
2. [es@node1 config]$ ll
3. total 36
4. -rw-rw---- 1 es es  3284 Dec 14 07:49 elasticsearch.yml
5. -rw-rw---- 1 es es  2301 Mar 26  2020 jvm.options
6. -rw-rw---- 1 es es 17545 Mar 26  2020 log4j2.properties
7. -rw-rw---- 1 es es   473 Mar 26  2020 role_mapping.yml
8. -rw-rw---- 1 es es   197 Mar 26  2020 roles.yml
9. -rw-rw---- 1 es es     0 Mar 26  2020 users
10. -rw-rw---- 1 es es     0 Mar 26  2020 users_roles
11. [es@node1 config]$ mkdir certs
12. [es@node1 config]$ cp ../elastic-certificates.p12 certs/
13. [root@node1 elasticsearch-7.6.2]# scp -r config node2:/home/elasticsearch-7.6.2/
14. log4j2.properties                                                                                100%   17KB  12.2MB/s   00:00   
15. users_roles                                                                                      100%    0     0.0KB/s   00:00   
16. roles.yml                                                                                        100%  197   406.7KB/s   00:00   
17. users                                                                                            100%    0     0.0KB/s   00:00   
18. role_mapping.yml                                                                                 100%  473     1.0MB/s   00:00   
19. elasticsearch.yml                                                                                100% 3284     3.2MB/s   00:00   
20. jvm.options                                                                                      100% 2301     4.4MB/s   00:00   
21. elastic-certificates.p12                                                                         100% 3443     3.1MB/s   00:00   
22. [root@node1 elasticsearch-7.6.2]# scp -r config node3:/home/elasticsearch-7.6.2/
23. log4j2.properties                                                                                100%   17KB  14.6MB/s   00:00   
24. users_roles                                                                                      100%    0     0.0KB/s   00:00   
25. roles.yml                                                                                        100%  197   492.4KB/s   00:00   
26. users                                                                                            100%    0     0.0KB/s   00:00   
27. role_mapping.yml                                                                                 100%  473     1.1MB/s   00:00   
28. elasticsearch.yml                                                                                100% 3284     2.7MB/s   00:00   
29. jvm.options                                                                                      100% 2301     5.0MB/s   00:00   
30. elastic-certificates.p12                                                                         100% 3443     3.9MB/s   00:00   
31. [root@node1 elasticsearch-7.6.2]#

复制代码

2.4 修改所有ES节点配置文件

1. xpack.security.enabled: true
2. xpack.security.transport.ssl.enabled: true
3. xpack.security.transport.ssl.verification_mode: certificate
4. xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
5. xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

复制代码

2.5 启动集群各节点

1. [es@node1 elasticsearch-7.6.2]$ ./bin/elasticsearch -d

复制代码

2.6 主动生成密码

集群也是一台节点生成密码即可

1. [es@node1 elasticsearch-7.6.2]$ ./bin/elasticsearch-setup-passwords auto
2. Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
3. The passwords will be randomly generated and printed to the console.
4. Please confirm that you would like to continue [y/N]y
7. Changed password for user apm_system
8. PASSWORD apm_system = BY8QVLtnyPiIKQKWB9TH
10. Changed password for user kibana
11. PASSWORD kibana = 4MLTzLOC6LGYHkGw0YuW
13. Changed password for user logstash_system
14. PASSWORD logstash_system = GatyQw87IIPPs8dNReSf
16. Changed password for user beats_system
17. PASSWORD beats_system = WsahN3DcIKa4514sxv4n
19. Changed password for user remote_monitoring_user
20. PASSWORD remote_monitoring_user = KBqzFIkgkxytVpswaJW6
22. Changed password for user elastic
23. PASSWORD elastic = ltwcC9q77f0yZMV9CPWl
25. [es@node1 elasticsearch-7.6.2]$

复制代码

3、验证漏洞是否修复乐成

1. [es@node1 elasticsearch-7.6.2]$ curl http://192.168.200.167:9200/_cat/indices?pretty  -u elastic

复制代码

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！更多信息从访问主页：qidao123.com:ToB企服之家，中国第一个企服评测及商务社交产业平台。

---

欢迎光临 IT评测·应用市场-qidao123.com技术社区 (https://dis.qidao123.com/)

Powered by Discuz! X3.4