ES7.14未经授权漏洞整改手册

ES集群侧

###1、关停ES集群，需要在三台机器上进行执行

ps -ef|grep 'elasticsearch-7.14.0'|grep -v grep|awk '{print $2}'|xargs kill -9

###2、创建证书存放路径，需要在三台机器上进行执行

mkdir -pv /home/ap/iflytek/yth-apps/system/elasticsearch-7.14.0/config/certs

###3、生成CA证书，任意一台AILOG执行即可

cd /home/ap/iflytek/yth-apps/system/elasticsearch-7.14.0/config/certs
/home/ap/iflytek/yth-apps/system/elasticsearch-7.14.0/bin/elasticsearch-certutil ca
/home/ap/iflytek/yth-apps/system/elasticsearch-7.14.0/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

###4、拷贝证书文件到AILOG单元内的所有ES集群上的certs目录

将文件elastic-certificates.p12和elastic-stack-ca.p12文件cp到nas下，并cp到其他的es集群主机内进行同步

###5、修改elasticsearch.yml主配置文件,文件结尾追加如下内容：

#开启xpack功能,实现密码验证功能
xpack.security.enabled: true
xpack.license.self_generated.type: basic
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

###6、启动ES集群，三台机器都要操作

/home/ap/iflytek/yth-apps/system/elasticsearch-7.14.0/bin/elasticsearch -d

###7、设置初始密码

• 所有用户统一密码：Szzt@123
• 登录任意AILOG任意机器，执行：/home/ap/iflytek/yth-apps/system/elasticsearch-7.14.0/bin/elasticsearch-setup-passwords interactive

  Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
  You will be prompted to enter passwords as the process progresses.
  Please confirm that you would like to continue [y/N]y
  Enter password for [elastic]:
  Reenter password for [elastic]:
  Enter password for [apm_system]:
  Reenter password for [apm_system]:
  Enter password for [kibana]:
  Reenter password for [kibana]:
  Enter password for [logstash_system]:
  Reenter password for [logstash_system]:
  Enter password for [beats_system]:
  Reenter password for [beats_system]:
  Enter password for [remote_monitoring_user]:
  Reenter password for [remote_monitoring_user]:
  Changed password for user [apm_system]
  Changed password for user [kibana]
  Changed password for user [logstash_system]
  Changed password for user [beats_system]
  Changed password for user [remote_monitoring_user]
  Changed password for user [elastic]

##数据采集端侧

###1、关停采集端服务

ps -ef|grep 'logstash-7.14.0'|grep -v grep|awk '{print $2}'|xargs kill -9

###2、修改配置文件

cd /home/ap/iflytek/yth-apps/system/logstash-7.14.0/config/conf.d
#修改如下三个文件
vim ask_ol_chan_outes.conf
vim faq_ol_chan_outes.conf
vim session_ol_chan_outes.conf
#在ouput中，添加user和passwod的配置
output {
  elasticsearch {
  hosts => ["10.255.35.175:19200","10.255.35.168:19200","10.255.35.116:19200"]
  index => "ol-chan-ask-%{timestamp}"
  user => "elastic"
  password => "Szzt@123"
  }

###3、启动logstash采集服务

cd /home/ap/ccb-yth/yth-apps/system/logstash-7.14.0/bin
sh logstash.sh