漏洞處理方法：

1、可以使用系統(tǒng)防火墻

來(lái)做限制只允許ES集群和Server節(jié)點(diǎn)的IP來(lái)訪問(wèn)漏洞節(jié)點(diǎn)的9200端口，其他的全部拒絕。

2、在ES節(jié)點(diǎn)上設(shè)置用戶密碼

漏洞現(xiàn)象：直接訪問(wèn)9200端口不需要密碼驗(yàn)證

修復(fù)過(guò)程

2.1 生成認(rèn)證文件

必須要生成認(rèn)證文件，且ES配置文件里要引用這些生成的認(rèn)證文件，否則啟動(dòng)ES的時(shí)候，日志會(huì)報(bào)錯(cuò)：Caused by: javax.net.ssl.SSLHandshakeException: No available authentication scheme。
CA 證書

[root@node1 elasticsearch-7.6.2]# su es
[es@node1 elasticsearch-7.6.2]$ ./bin/elasticsearch-certutil ca
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.

Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority

By default the 'ca' mode produces a single PKCS#12 output file which holds:
    * The CA certificate
    * The CA's private key

If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key

Please enter the desired output file [elastic-stack-ca.p12]: 
Enter password for elastic-stack-ca.p12 :

2.2 生成p12密鑰

使用第一步生成的證書，生成p12秘鑰

[es@node1 elasticsearch-7.6.2]$ ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'cert' mode generates X.509 certificate and private keys.
    * By default, this generates a single certificate and key for use
       on a single instance.
    * The '-multiple' option will prompt you to enter details for multiple
       instances and will generate a certificate and key for each one
    * The '-in' option allows for the certificate generation to be automated by describing
       the details of each instance in a YAML file

    * An instance is any piece of the Elastic Stack that requires an SSL certificate.
      Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
      may all require a certificate and private key.
    * The minimum required value for each instance is a name. This can simply be the
      hostname, which will be used as the Common Name of the certificate. A full
      distinguished name may also be used.
    * A filename value may be required for each instance. This is necessary when the
      name would result in an invalid file or directory name. The name provided here
      is used as the directory name (within the zip) and the prefix for the key and
      certificate files. The filename is required if you are prompted and the name
      is not displayed in the prompt.
    * IP addresses and DNS names are optional. Multiple values can be specified as a
      comma separated string. If no IP addresses or DNS names are provided, you may
      disable hostname verification in your SSL configuration.

    * All certificates generated by this tool will be signed by a certificate authority (CA).
    * The tool can automatically generate a new CA for you, or you can provide your own with the
         -ca or -ca-cert command line options.

By default the 'cert' mode produces a single PKCS#12 output file which holds:
    * The instance certificate
    * The private key for the instance certificate
    * The CA certificate

If you specify any of the following options:
    * -pem (PEM formatted output)
    * -keep-ca-key (retain generated CA key)
    * -multiple (generate multiple certificates)
    * -in (generate certificates from an input file)
then the output will be be a zip file containing individual certificate/key files

Enter password for CA (elastic-stack-ca.p12) : 

Please enter the desired output file [elastic-certificates.p12]: 
Enter password for elastic-certificates.p12 : 

Certificates written to /home/elasticsearch-7.6.2/elastic-certificates.p12

This file should be properly secured as it contains the private key for 
your instance.

This file is a self contained file and can be copied and used 'as is'
For each Elastic product that you wish to configure, you should copy
this '.p12' file to the relevant configuration directory
and then follow the SSL configuration instructions in the product guide.

For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.

2.3 將p12認(rèn)證文件copy到其他節(jié)點(diǎn)

[es@node1 elasticsearch-7.6.2]$ cd config/
[es@node1 config]$ ll
total 36
-rw-rw---- 1 es es  3284 Dec 14 07:49 elasticsearch.yml
-rw-rw---- 1 es es  2301 Mar 26  2020 jvm.options
-rw-rw---- 1 es es 17545 Mar 26  2020 log4j2.properties
-rw-rw---- 1 es es   473 Mar 26  2020 role_mapping.yml
-rw-rw---- 1 es es   197 Mar 26  2020 roles.yml
-rw-rw---- 1 es es     0 Mar 26  2020 users
-rw-rw---- 1 es es     0 Mar 26  2020 users_roles
[es@node1 config]$ mkdir certs
[es@node1 config]$ cp ../elastic-certificates.p12 certs/
[root@node1 elasticsearch-7.6.2]# scp -r config node2:/home/elasticsearch-7.6.2/
log4j2.properties                                                                                100%   17KB  12.2MB/s   00:00    
users_roles                                                                                      100%    0     0.0KB/s   00:00    
roles.yml                                                                                        100%  197   406.7KB/s   00:00    
users                                                                                            100%    0     0.0KB/s   00:00    
role_mapping.yml                                                                                 100%  473     1.0MB/s   00:00    
elasticsearch.yml                                                                                100% 3284     3.2MB/s   00:00    
jvm.options                                                                                      100% 2301     4.4MB/s   00:00    
elastic-certificates.p12                                                                         100% 3443     3.1MB/s   00:00    
[root@node1 elasticsearch-7.6.2]# scp -r config node3:/home/elasticsearch-7.6.2/
log4j2.properties                                                                                100%   17KB  14.6MB/s   00:00    
users_roles                                                                                      100%    0     0.0KB/s   00:00    
roles.yml                                                                                        100%  197   492.4KB/s   00:00    
users                                                                                            100%    0     0.0KB/s   00:00    
role_mapping.yml                                                                                 100%  473     1.1MB/s   00:00    
elasticsearch.yml                                                                                100% 3284     2.7MB/s   00:00    
jvm.options                                                                                      100% 2301     5.0MB/s   00:00    
elastic-certificates.p12                                                                         100% 3443     3.9MB/s   00:00    
[root@node1 elasticsearch-7.6.2]#

2.4 修改所有ES節(jié)點(diǎn)配置文件

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

2.5 啟動(dòng)集群各節(jié)點(diǎn)

[es@node1 elasticsearch-7.6.2]$ ./bin/elasticsearch -d

2.6 自動(dòng)生成密碼

集群也是一臺(tái)節(jié)點(diǎn)生成密碼即可

[es@node1 elasticsearch-7.6.2]$ ./bin/elasticsearch-setup-passwords auto
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]y


Changed password for user apm_system
PASSWORD apm_system = BY8QVLtnyPiIKQKWB9TH

Changed password for user kibana
PASSWORD kibana = 4MLTzLOC6LGYHkGw0YuW

Changed password for user logstash_system
PASSWORD logstash_system = GatyQw87IIPPs8dNReSf

Changed password for user beats_system
PASSWORD beats_system = WsahN3DcIKa4514sxv4n

Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = KBqzFIkgkxytVpswaJW6

Changed password for user elastic
PASSWORD elastic = ltwcC9q77f0yZMV9CPWl

[es@node1 elasticsearch-7.6.2]$

3、驗(yàn)證漏洞是否修復(fù)成功

文章來(lái)源地址http://www.zghlxwxcb.cn/news/detail-787323.html

[es@node1 elasticsearch-7.6.2]$ curl http://192.168.200.167:9200/_cat/indices?pretty  -u elastic

到了這里，關(guān)于ElasticSearch單機(jī)或集群未授權(quán)訪問(wèn)漏洞的文章就介紹完了。如果您還想了解更多內(nèi)容，請(qǐng)?jiān)谟疑辖撬阉鱐OY模板網(wǎng)以前的文章或繼續(xù)瀏覽下面的相關(guān)文章，希望大家以后多多支持TOY模板網(wǎng)！