如何修改elasticsearch密码
一 前言
客户环境上面的ES在渗透扫描的时候发现了elasticsearch对其访问未作任何相关的安全策略,需要指定策略
二 查看配置文件elasticsearch.yml部分内容如下所示
# Block initial recovery after a full cluster restart until N nodes are started: # #gateway.recover_after_nodes: 3 # # For more information, consult the gateway module documentation. # # ---------------------------------- Various ----------------------------------- # # Require explicit names when deleting indices: # #action.destructive_requires_name: true #xpack.security.enabled: true #xpack.license.self_generated.type: basic #xpack.security.transport.ssl.enabled: true
三 已经注视掉了认证相关,需要将如上红色的部分注释
# Block initial recovery after a full cluster restart until N nodes are started: # #gateway.recover_after_nodes: 3 # # For more information, consult the gateway module documentation. # # ---------------------------------- Various ----------------------------------- # # Require explicit names when deleting indices: # #action.destructive_requires_name: true xpack.security.enabled: true xpack.license.self_generated.type: basic xpack.security.transport.ssl.enabled: true
并且重启ES
systemctl restart elasticsearch
四 之后找到ES的安装位置
[root@ECP-HK-1 elasticsearch]# systemctl cat elasticsearch # /usr/lib/systemd/system/elasticsearch.service [Unit] Description=Elasticsearch Documentation=https://www.elastic.co Wants=network-online.target After=network-online.target ........ ExecStart=/usr/share/elasticsearch/bin/systemd-entrypoint -p ${PID_DIR}/elasticsearch.pid --quiet
五 执行修改密码命令(当存在密码的时候可能会报错,这个后面告诉你怎么处理)
[root@ECP-HK-1 elasticsearch]# /usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive future versions of Elasticsearch will require Java 11; your Java version from [/opt/daho/oraclejdk/jdk1.8.0_91/jre] does not meet this requirement Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user. You will be prompted to enter passwords as the process progresses. Please confirm that you would like to continue [y/N]y Enter password for [elastic]: Reenter password for [elastic]: Enter password for [apm_system]: Reenter password for [apm_system]: Enter password for [kibana_system]: Reenter password for [kibana_system]: Enter password for [logstash_system]: Reenter password for [logstash_system]: Enter password for [beats_system]: Reenter password for [beats_system]: Enter password for [remote_monitoring_user]: Reenter password for [remote_monitoring_user]: Changed password for user [apm_system] Changed password for user [kibana_system] Changed password for user [kibana] Changed password for user [logstash_system] Changed password for user [beats_system] Changed password for user [remote_monitoring_user] Changed password for user [elastic]
六 之后分别尝试使用有密码和无密码的方式进行登陆
[root@ECP-HK-1 elasticsearch]# curl localhost:9200 {"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":"Basic realm="security" charset="UTF-8""}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":"Basic realm="security" charset="UTF-8""}},"status":401}[root@ECP-HK-1 elasticsearch]#
[root@ECP-HK-1 elasticsearch]# curl localhost:9200 -u elastic:{xxxxxx} {"error":{"root_cause":[{"type":"security_exception","reason":"unable to authenticate user [elastic] for REST request [/]","header":{"WWW-Authenticate":"Basic realm="security" charset="UTF-8""}}],"type":"security_exception","reason":"unable to authenticate user [elastic] for REST request [/]","header":{"WWW-Authenticate":"Basic realm="security" charset="UTF-8""}},"status":401}[root@ECP-HK-1 elasticsearch]# curl localhost:9200 -u elastic:Zenlayer+1 { "name" : "node-x", "cluster_name" : "xxxxxxxx", "cluster_uuid" : "xxxxxxxx", "version" : { "number" : "7.9.0", "build_flavor" : "default", "build_type" : "rpm", "build_hash" : "a479a2a7fce0389512d6a9361301708b92dff667", "build_date" : "2020-08-11T21:36:48.204330Z", "build_snapshot" : false, "lucene_version" : "8.6.0", "minimum_wire_compatibility_version" : "6.8.0", "minimum_index_compatibility_version" : "6.0.0-beta1" }, "tagline" : "You Know, for Search" }
七 如果你记得之前密码的话还可以通过这种方式来修改密码
curl -XPOST -u elastic "localhost:9200/_security/user/elastic/_password" -H 'Content-Type: application/json' -d'{"password" : "xxxxxxxx"}'
八 如果你记不住密码了或者在第五步骤卡住了,那么接下来的操作就会帮助你成功的修改ES的密码
8.1 执行下面命令之后重复第一步到第五步
[root@ECP-HK-1 elasticsearch]# curl -XGET "localhost:9200/_cat/indices" -H 'Content-Type: application/json' green open .security-7 vmk9A-hrQYWsfn5fW9agiQ 1 0 7 0 25.4kb 25.4kb yellow open audit E2IXUx_PRtyw3J0vPXHfWQ 5 1 51 0 295.4kb 295.4kb
[root@ECP-HK-1 elasticsearch]# curl -XDELETE http://localhost:9200/.security-7
{"acknowledged":true}