Securing ELK

Hi,

I am trying to secure my ELK. I have been checking some documentation, tutorials and also topics in discuss.elastic.co, but everybody shows different steps and settings enabled, so I am confused.

*Note: I am using ELK 6.8.8 with Basic License + running on Debian 10

My goals are:
1- Secure internal ELK communication
2- Secure foreign connections (be able to use https) coming from different beats (PCs and servers out of the ELK network) to ES, Kibana and Logstash
3- Create different users with different level access, so each one can see only specific dashboards

Questions:
1- What comes 1st?:
a) Enable xpack security in Elasticsearch .yml
b) Generate a certificate

2- Should I set my cluster as a CA?

3- Which tool should I use to generate the certificate?:
a) /usr/share/elasticsearch/bin/elasticsearch-certutil
b) /usr/share/elasticsearch/bin/x-pack/certutil
c) If I can use any of the above, then which one would be recommended as the best option?

4- Cert format "p12" vs "PEM". Do I need to select one or the tool being used to generate the cert will determine the output format?

5- Which tool should I use to generate the system passwords (ES, Kibana, etc.)?:
a) /usr/share/elasticsearch/bin/elasticsearch-setup-passwords
b) /usr/share/elasticsearch/bin/x-pack/setup-passwords

6- Should I use:
a) elasticsearch-keystore
b) kibana-keystore
c) Both

7- Should I use:
a) "xpack.security.transport.ssl" ?
b) "xpack.security.http.ssl" ?
c) "xpack.monitoring" ?
c) All?

Maybe there are a lot of questions, but I would appreciate and it would be helpful if you could answer them all.

Thanks in advance

I am trying to follow one or two tutorials (like the following)

I was able to find some of the answers I need, but still gonna need some help.

3- Which tool should I use to generate the certificate?:
a) /usr/share/elasticsearch/bin/elasticsearch-certutil
b) /usr/share/elasticsearch/bin/x-pack/certutil
c) If I can use any of the above, then which one would be recommended as the best option?

5- Which tool should I use to generate the system passwords (ES, Kibana, etc.)?:
a) /usr/share/elasticsearch/bin/elasticsearch-setup-passwords
b) /usr/share/elasticsearch/bin/x-pack/setup-passwords

6- Should I use:
a) elasticsearch-keystore
b) kibana-keystore
c) Both

7- Should I use:
a) "xpack.security.transport.ssl" ?
b) "xpack.security.http.ssl" ?
c) "xpack.monitoring" ?
c) All/other?

Also I am facing the following issue when trying to enable xpack:

I am able to:

  • Generate a certificate

  • Enable xpack in ES config file by adding these lines (not sure if I need all of them)

    xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: certificate
    xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
    xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
    xpack.security.http.ssl.enabled: true
    xpack.security.http.ssl.keystore.path: elastic-certificates.p12
    xpack.security.http.ssl.truststore.path: elastic-certificates.p12

Here comes the issue:
After restart ES service and attempt to generate the passwords, I get this error:

user1@testserver:~$ sudo /usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto
warning: Falling back to java on path. This behavior is deprecated. Specify JAVA_HOME

Connection failure to: https://192.168.0.179:9200/_xpack/security/_authenticate?pretty failed: Connection refused (Connection refused)

ERROR: Failed to connect to elasticsearch at https://192.168.0.179:9200/_xpack/security/_authenticate?pretty. Is the URL correct and elasticsearch running?
user1@testserver:~$

Also the ES log output can be found here https://pastebin.com/H302an8H

Just for the records, I did not installed any additional Java for ELK, so it must be using the bundled version.

I don't know if I am missing a step or there is something wrong with my ELK

Thanks

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.