Elasticsearch7.X漏洞修复实践

系统管理员 2022-10-07 01:54 285阅读 0赞

## 一、漏洞描述 ##

ElasticSearch是一个基于Lucene的搜索服务器。它提供了一个分布式多用户能力的全文搜索引擎，基于RESTful web接口。Elasticsearch是用Java开发的，并作为Apache许可条款下的开放源码发布，是当前流行的企业级搜索引擎。Elasticsearch的增删改查操作全部由http接口完成。由于Elasticsearch授权模块需要付费，所以免费开源的Elasticsearch可能存在未授权访问漏洞。该漏洞导致，攻击者可以拥有Elasticsearch的所有权限。可以对数据进行任意操作。业务系统将面临敏感数据泄露、数据丢失、数据遭到破坏甚至遭到攻击者的勒索。

Elasticsearch服务普遍存在一个未授权访问的问题，攻击者通常可以请求一个开放9200或9300的服务器进行恶意攻击

## 二、漏洞修复方法 ##

*  更改默认端口
 *  默认开启的9200端口和使用的端口不对外公布或架设内网环境
 *  限制IP访问，绑定固定IP
 *  架设nginx反向代理服务器，并设置http basic认证来实现elasticsearch的登录认证
 *  **安装x-pack插件（我自己采用了这种方法）**

## 三、ELK使用X-Pack实现安全登陆验证 ##

### 3.1 X-Pack介绍 ###

[干货 | Elasticsearch7.X X-Pack基础安全实操详解][_ Elasticsearch7.X X-Pack]

### 3.2 单节点ES X-Pack配置 ###

#### 3.2.1 修改elasticsearch.yml配置文件 ####

增加如下配置，修改完毕需要重启ES，否则配置不生效

xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true

#### 3.2.2 设置用户密码 ####

cd /opt/app/es/elasticsearch-7.5.1/bin
    ./elasticsearch-setup-passwords interactive

出现如下图所示内容，为每一项设置密码  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3NpbmF0XzM0MjQxODYx_size_16_color_FFFFFF_t_70]

### 3.3 修改logstash.conf文件 ###

打开自定义的logstash的配置文件logstash.conf，在output中增加elasticsearch的用户名和密码

[root@ELK1 ~]# vim /home/elk/logstash-7.2.1/config/logstash.conf
    input { 
      beats { 
        port => 5044
      }
    }
    output { 
      stdout { 
        codec => rubydebug
      }
      elasticsearch { 
        hosts => ["192.168.3.42:9200"]
        user => "elastic"
        password => "123456"
      }
    }

### 3.4 修改代码 ###

package com.umetrip.qa.config.es;//package com.test.config;
    
    import org.apache.http.HttpHost;
    import org.apache.http.auth.AuthScope;
    import org.apache.http.auth.UsernamePasswordCredentials;
    import org.apache.http.client.CredentialsProvider;
    import org.apache.http.client.config.RequestConfig.Builder;
    import org.apache.http.impl.client.BasicCredentialsProvider;
    import org.apache.http.impl.nio.client.HttpAsyncClientBuilder;
    import org.elasticsearch.client.RestClient;
    import org.elasticsearch.client.RestClientBuilder;
    import org.elasticsearch.client.RestClientBuilder.HttpClientConfigCallback;
    import org.elasticsearch.client.RestClientBuilder.RequestConfigCallback;
    import org.elasticsearch.client.RestHighLevelClient;
    import org.springframework.context.annotation.Bean;
    import org.springframework.context.annotation.Configuration;
    
    import java.util.ArrayList;
    
    @Configuration
    public class ESConfig { 
        private static String hosts = "10.237.79.147";  //集群地址，多个用，分隔
    //    private static String hosts = "10.238.6.174";  //生产集群地址，多个用，分隔
    //    private static String hosts = "172.24.86.86";  //测试集群地址，多个用，分隔
    
        private static int port = 9200;     //使用的端口号
        private static String schema = "http"; //使用的协议
        private static ArrayList hostList = null;
    
        private static int connectTimeOut = 1000;//连接超时时间
        private static int socketTimeOut = 30000;//？？
        private static int connectionRequestTimeOut = 500;//获取连接的超时时间
    
        private static int maxConnectNum = 100;//最大连接数
        private static int maxConnectPerRoute = 100;//最大路由连接数
    
        static { 
            hostList = new ArrayList<>();
            String[] hostStrs = hosts.split(",");
            for (String host:hostStrs){ 
                hostList.add(new HttpHost(host,port,schema));
            }
        }
    
        @Bean
        public RestHighLevelClient client(){ 
            RestClientBuilder builder = RestClient.builder((HttpHost[])hostList.toArray(new HttpHost[0]));
            //异步httpclient连接延时配置
            builder.setRequestConfigCallback(new RestClientBuilder.RequestConfigCallback() { 
                @Override
                public Builder customizeRequestConfig(Builder requestConfigBuilder) { 
                    requestConfigBuilder.setConnectTimeout(connectTimeOut);
                    requestConfigBuilder.setSocketTimeout(socketTimeOut);
                    requestConfigBuilder.setConnectionRequestTimeout(connectionRequestTimeOut);
                    return requestConfigBuilder;
                }
            });
    
    
            /** 用户认证对象 */
            final CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
            /** 设置账号密码 */
            credentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials("elastic", "123456"));
    
            //异步httpclient连接数设置
            builder.setHttpClientConfigCallback(new HttpClientConfigCallback() { 
                @Override
                public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpClientBuilder) { 
                    httpClientBuilder.setMaxConnTotal(maxConnectNum);
                    httpClientBuilder.setMaxConnPerRoute(maxConnectPerRoute);
                    httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider);
                    return httpClientBuilder;
                }
            });
    
            RestHighLevelClient client = new RestHighLevelClient(builder);
            return client;
        }
    }

参考文献：  
[linux 搭建elk7.5.1集群并且安装x-pack][linux _elk7.5.1_x-pack]  
[ELK - X-Pack设置用户密码][ELK - X-Pack]  
[elasticsearch-7.x使用xpack进行安全认证][elasticsearch-7.x_xpack]

[_ Elasticsearch7.X X-Pack]: https://blog.csdn.net/laoyang360/article/details/102877770
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3NpbmF0XzM0MjQxODYx_size_16_color_FFFFFF_t_70]: /images/20221005/7ac9fc04c6d043a1b21810dba64e5e9b.png
[linux _elk7.5.1_x-pack]: https://www.cnblogs.com/zhangqigao/p/11913116.html
[ELK - X-Pack]: https://blog.csdn.net/prufeng/article/details/103095153
[elasticsearch-7.x_xpack]: https://blog.csdn.net/qq_20143059/article/details/112992016