Without minimal security enabled many components will not work, for example:
In the first part of our lab, we set up Elasticsearch cluster with three servers, to run minimum security requirements between all servers, it is required to stop all the servers and Kibana.
Stopping elasticsearch:
sudo service elasticsearch stop
Kibana stop:
sudo service kibana stop
Enabling minimal security
For each Elasticsearch server, add the following line in the elasticsearch.yml configuration file and start Elasticsearch service
xpack.security.enabled: true
Change password for system users
authentication requirement with Elasticsearch and Kibana, is the first step when enabling minimal security.
On Node01 server create a list of users and passwords by running the following commands:
/ cd usr / share / elasticsearch / bin
./elasticsearch-setup-passwords auto
* Save all username and passwords in secure location like keepass
Add Kibana authentication
On the Kibana server we will configure the default kibana_system user with a new password , edit a kibana.yml configuration file
elasticsearch.username: “kibana_system”
Add your own password with at least 32 characters, it is required for enabling alerts and rules.
xpack.encryptedSavedObjects:
encryptionKey: “b8707c3f9ffd788a02b2ec5f79aaea94b25638d8553afceb42cc3823344a9bec”
store password in keystore for Kibana
To keep your passwords secure, create a Keystore by run the these commands:
cd / usr / share / kibana / bin
./kibana-keystore create
save password for username “kibana_system” in the keystore
./kibana-keystore add elasticsearch.password
Elasticsearch Certificate Request
The next step is to enable certificate authentication between all Elasticsearch servers, enable this by requesting a CA certificate from Elasticsearch PKI.
From Node01 server, create request certificate include a private key and a public key, all Elasticsearch servers must trust the certificate, the certificate will be generated by the following commands:
cd / usr / share / elasticsearch / bin
./elasticsearch-certutil ca
confirm the creation of a default certificate [elastic-stack-ca.p12] and choose to protect the private key with a complex password.
copy the certificate name elastic-stack-ca.p12, to the Elasticsearch directory /etc/elasticsearch/ for each Elasticsearch server.
Set up TLS encryption between servers in a cluster
To set up TLS for all elasticsearch servers member cluster, add the below lines to the elasticsearch.yml configuration file for each server.
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: elastic-stack-ca .p12
xpack.security.transport.ssl.truststore.path: elastic-stack-ca.p12
Save the private key password in the KeyStore for each member server
cd / usr / share / elasticsearch / bin
./elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
./elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
its importent to grant read permissions to elastic-stack-ca.p12 certificate file
chmod -v 640 elastic-stack-ca.p12
check our new security setting by starting Elasticsearch service on all servers and verifying that it is working properly
service elasticsearch start
Elasticsearch cluster health Check
By adding a username and password to get request, we will check the status of Elasticsearch cluster, “green” status mean all good :), for any other status please check for errors in the log file at var/log/elasticsearch/elasticsearch.log.
Checking the status of Elasticsearch cluster
curl -X GET “localhost: 9200 / _cluster / health? pretty & pretty” -u elastic: fOFZzcnavlAtk8pW5l
Kibana authentication test
It’s recommended to verify authentication from a Kibana server to elasticsearch servers using kibana user
curl -u kibana_system ‘http://192.168.0.180:9200/_xpack/security/_authenticate?pretty’
start Kibana and access the portal at:
http://192.168.0.183:5601/
As you can see in the image below, since minimal security enabled, authentication is now required at the Kibana portal, use elastic user to access Kibana.
Users and roles Kibana
Once security was enabled, a new option was opened,
users and roles can be created by access the following addresses:
http://192.168.0.183:5601/app/management/security/roles
http://192.168.0.183:5601/app/management/security/users
enable Elasticsearch API
The second step in setting up minimal security is to set up secure access to Elasticsearch servers using https only, this step is necessary to protect the information that goes to Elasticsearch and required for manage the Elasticsearch system using API.
http://192.168.0.183:5601/app/management/security/api_keys
As you can see in the image below API is not enabled by default, allow API access by enable https only
Elasticsearch Encrypt traffic
to set up secure access only with https, stop elasticsearch service on all servers
sudo service elasticsearch stop
TLS certificate can be requested by
- elasticsearch-certutil
- self sign certificate using tools like openssl
- active directory certificate authority
use elasticsearch-certutil
request certificate using elasticsearch-certutil, to request certificate from one server for all servers run the below commands,
cd/usr/share/elasticsearch/bin/
./elasticsearch-certutil http
Generate a CSR? [y / N] n
Use an existing CA? [y / N] y
CA Path: /etc/elasticsearch/elastic-stack-ca.p12
Password for elastic-stack-ca.p12:
For how long should your certificate be valid? [5y]
Generate a certificate per node? [y / N] y
node # 1 name: node01
Enter all the hostnames that you need, one per line.
When you are done, press once more to move on to the next step.
node01
Enter all the IP addresses that you need, one per line.
When you are done, press once more to move on to the next step.
192.168.0.180
Generate additional certificates? [Y / n] y
The questions should be repeated for all Elasticsearch servers.
After requesting certificates for all servers answer no for
generate additional certificates selected? n
The new certificates can be found in the following directory usr/share/elasticsearch/elasticsearch-ssl-http.zip
extract and copy the certificate to /etc/elasticsearch/ directory for each server
extract and copy example for node01 server:
unzip /usr/share/elasticsearch/elasticsearch-ssl-http.zip -d /tmp/
cp /tmp/elasticsearch/node01/http.p12 /etc/elasticsearch/
Once you copy the http.p12 certificate to all the servers, we will configure the elasticsearch servers to receive https requests by edit the elasticsearch.xml configuration file
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: http.p12
Keeping a private key certificate in the keystore
Before starting the elasticsearch servers, it is required to add the certificate password to the keystore.
cd/usr/share/elasticsearch/bin
./elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
Once you save the certificate password in the keystore all Elasticsearch servers can be started
test Elasticsearch API
More security features are now available to used from Kibana portal, you can create you own token and start to manage Elasticsearch using API reset options.
API management address:
http://192.168.0.183:5601/app/management/security/api_keys
Summary
Once we have set x-pack security, advanced options such as API, manage users and roles, machine learning, are now available for use.
In this guide we enabled certificate authentication between all Elasticsearch servers and enabled secure connection using https, we only allowed access using user authentication to Elasticsearch and Kibana.
Next steps
sending logs from IDS servers and Wazuh EDR to Elasticsearch SIEM, use Kibana to detect threats such as Malware traffic, analyze network anomaly using Elasticsearch Machine learning.
