Amazon

HowTo: Enable HTTP to HTTPS redirection in tomcat for server under elb.

Posted on Updated on

I have installed Tomcat native method APR which is very lite to handle the serverlet request, For secure the logins, it is better to configure force redirection.

I followed the below methods,  in amazon server.

1, Configure SSL with port redirection in AWS firewall

ELB-tomcat

 

 

 

 

2, Edit the tomcat configuration for SSL redirection, Modify the below parts in the conf file.

/usr/local/apache-tomcat-7.0.47/conf/server.xml

<Connector port="80" protocol="HTTP/1.1"
 enableLookups="false"
 connectionTimeout="20000"
 redirectPort="443" />

SSL Certifice configuration in APR tomcat native method

<Connector
 protocol="HTTP/1.1"
 port="443" maxThreads="500"
 scheme="https" secure="true" SSLEnabled="true"
 SSLCertificateFile="${catalina.home}/conf/keystore/wacom.crt"
 SSLCertificateKeyFile="${catalina.home}/conf/keystore/wacom.key"
 SSLCACertificateFile="${catalina.home}/conf/keystore/wacom.intermediate.ca"
 SSLVerifyClient="optional" SSLProtocol="TLSv1"/>

3, edit the Aplications web.xml for force redirection. webapps/ROOT/WEB-INF/web.xml

<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!-- auth-constraint goes here if you requre authentication -->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

Verify :

curl -I http://domain.com/ROOT
HTTP/1.1 302 Found
Content-length: 0
Date: Fri, 31 Oct 2014 16:33:42 GMT
Location: https://domain.com/login;jsessionid=5B5B0B1292597816EA2C5DE89B298F74
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=5B5B0B1292597816EA2C5DE89B298F74; Path=/; HttpOnly
Connection: keep-alive

 

Howto: Allowing SFTP access while chrooting the user and denying shell access.

Posted on Updated on

Usually SFTP will allow a system user to access their home directory to upload and download files with their account. The SFTP user can navigate anywhere in the server some times can download files it will produce security vulnerability.

The Chroot for SFTP will be denied to access the rest of the system as they will be chrooted to the user home directory. Thus users will not be able to snoop around the system to /etc or application directories. User login to a shell account will also be denied.

I the below procedures will allowed me to enable SFTP security,

1, Add a new group

2, Create a Chroot dir for launch the logins, which should owned by root

3, Modify sftp-internal for forcing chroot dir

4, reload the configuration

Steps :

Create Chroot launch directory with other have no previlege

mkdir /opt/chroot
chown root:root /opt/chroot
chmod 700 /opt/chroot

Create a common group for the chrooted users , SSH rule will work for the group

groupadd sftpgroup
useradd -g sftpgroup -s /sbin/nologin  -d /opt/chroot/planetuser planetuser
passwd planetuser

Modify ssh configuration

vi /etc/ssh/sshd_config

Comment the general sftp subsubsystem and add new rule

#Subsystem sftp /usr/lib/openssh/sftp-server

#Add the line 
Subsystem sftp internal-sftp

# Rules for sftp group
Match group sftpgroup
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Then restart SSH service

service sshd restart

Howto: Setup and Secure Linux SSH Logins to use Private PEM Keys

Posted on Updated on

One of the most secure way to connect ssh from public is through private Key, the key authentication mechanism won’t allow the attackers to make stress to the ssh service even it won’t allow DDOS or brute force attacks. This is default login type for Amazon EC2 servers, is providing single key for the default user we can add multiple according to the requirement.

Here My requirement is, create a new user and allow the user to login with different key so the user will launch to it own home dir and limited to the privilege. I followed the below steps to create key pair

1, Create key pair from any of the unix system which will generate two keys public and private.

2, Appened the public key to the users ssh authorizedkey file.

3, Keep the private with yor self and pass through along with the ssh connection.

Steps1: Create new User

useradd anand

Step2: Generate the Public/Private key files

ssh-keygen -b 1024 -f anand -t dsa
ls -la anand*
-rw-r--r-- 1 root root 1200 Oct 10 09:57 anand.pub
-rw-r--r-- 1 root root 1812 Oct 10 09:57 anand.pem
Step3: adding key file to the user’s ssh authorized keys
mkdir /home/anand/.ssh
cat anand.pub >>  /home/anand/.ssh/authorized_keys
chmod 600  /home/anand/.ssh/authorized_keys
chmod 700 /home/anand/.ssh/
chown -R anand  /home/anand/.ssh/
Step4: Now Login with the .pem file
ssh -i anand.pem anand@planetcure.in
The authenticity of host 'planetcure.in (54.203.253.9)' can't be established.
RSA key fingerprint is 6b:69:6f:86:94:6a:18:1d:ea:dc:0d:1d:af:9d:2f:66.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'planetcure.in' (RSA) to the list of known hosts.
anand@planetcure.in's password: 
[anand@planetcure ~]$
It seems working fine,

HowTo: Change Instance store AMI to EBS-backend AMI

Posted on Updated on

Amazon not providing any feature for changing AMI root device type, once we generate an instance with Instance-store  we can’t upgrade the instance because for upgrading instance should stop. The stop option is disable for such instance-store AMI’s. I followed the steps below, It can be workout by two ways either using rsync or dd

Here is the steps:

  • Create an EBS vol with size as same or more, I used 10G because my existing instance having 10G on root.

EBS_fresh

After creating which is look like this

EBS_new

  • Attach the EBSLogin to existing Instance-store backend AMI,

Right- click and select Attach Volume,

EBS_attach

  • Login to the Instance-store backend  server, and stop all the running services (Optional), (eg., mysqld , httpd , xinted )

Execute the the disk mirroring commands below, it will take few min to complete according to the server perfomance.

[root@ip-10-128-5-222 ~]# dd bs=65536 if=/dev/sda1 of=/dev/sdf

or

mkfs.ext3 /dev/sdf                              #create filesystem
mkdir /mnt/ebs                                  #New dir for mounting 
mount /dev/sdh /mnt/ebs                         #Mount as a partition
rsync -avHx / /mnt/ebs                          #Synchronizing root and ebs  
rsync -avHx /dev /mnt/ebs                       #Synchronizing device informations  
tune2fs -L '/' /dev/sdf                         #Creating partition label for ebs  
sync;sync;sync;sync && umount /mnt/ebs          #Sync and umounting ebs 

Check the EBS volume for consistency

[root@ip-10-128-5-222 ~]# fsck /dev/sdf
 fsck 1.39 (29-May-2006)
 e2fsck 1.39 (29-May-2006)
 /dev/sdf: clean, 126372/1310720 files, 721346/2621440 blocks

Mount the EBS volume into the instance, Remove the /mnt entry from the fstab on your EBS vol

[root@ip-10-128-5-222 ~]# mount /dev/sdf /mnt/ebs-vol
[root@ip-10-128-5-222 ~]# vim /root/ebs-vol/etc/fstab
  • Create a snapshot of the EBS volume using the AWS management console

Right-Click the EBS_vol –> select Create Snapshot , it will take few min to create

EBS_snapshot

After creating snapshot it will list under snapshot list.

EBS_snapshotpng

Now Right-click snapshot  –> select Create Image from snapshot

EBS_create_image

  • Launch new EC2 using newly create AMI, so while creating new EC2 you can select any instance type also you may use the same keypair and Elastic IP for the new instance

Creating New instance using new AMI.

NEW_EC2

Running instance

EC2_newpng

  • Now you can login to the new server, If you select more than the size of snapshot you have to use the below command to retain the storage back
#resize2fs /dev/sda1
  •  Successfully migrated the server as EBS-backend. Start all the services if it is necessary, This time we can upgrade the instance type

HowTo: S3 bucket dynamic URI access

Posted on Updated on

s3cmd is a command line tool for uploading, retrieving and managing data in Amazon S3. Still their are no wiki is updated.
you may get the packages from sourceforge official

Also the download repository is available here : Download Now

It will also support including unix dynamic resource access method, for example we can use * for calling all the resources or {dir1,file2} for specific resource.

I was shown in the example for setting up public acl for dynamic sub directories.

Installation:

root@planetcure:wget http://kaz.dl.sourceforge.net/project/s3tools/s3cmd/1.0.1/s3cmd-1.0.1.tar.gz
root@planetcure:tar -zxvf s3cmd-1.0.1.tar.gz
root@planetcure:export  PATH=$PATH:/opt/installer/s3cmd-1.0.1

Now we can access the binary from any of the location.

root@planetcure:/opt/installer/s3cmd-1.0.1# s3cmd setacl --acl-public s3://my-bucket-name/{dev,stg1,stg2}/*/dir5/*/3/*

This command will execute the following scenarios

s3://my-bucket-name/  is my S3 bucket

* will represent all the subdirectories

{dev,stg1,stg2} will represent the specific directories from the group of directories

dir5/ ,3/ will represent specific sub-directory

Enjoy the day, 🙂

HowTo: Set Up Multiple SSL Certificates on One IP with Apache

Posted on Updated on

As the Apache Web server grows and matures, new features are added and old bugs are fixed. Perhaps one of the most important new features added to recent Apache versions (2.2.12, to be specific) is the long-awaited support for multiple SSL sites on a single IP address.

prerequisites,

  • The server, obviously, must use Apache 2.2.12 or higher.
  • It must also use OpenSSL 0.9.8f or later and must be built with the TLS extensions option.
  •  Apache must be built against this version of OpenSSL as it will enable SNI support if it detects the right version of OpenSSL — the version of OpenSSL that includes TLS extension support.( Default installation contains all these things)

Note:

SNI can only be used for serving multiple SSL sites from your web server and is not likely to work at all on other daemons, such as mail servers, etc. There are also a small percentage of older web browsers that may still give certificate errors. Wikipedia has an updated list of software that does and does not support this TLS extension.

Here am using wild card SSL for hosting two sub-domain in single server, similearly we can also use different ssl for different domain with the same IP.

Follow the basic installation of apache

Redhat :

[root@ip-10-132-82-251 ~]# yum install httpd openssl openssl-devel mod_ssl

Ubuntu:

apt-get install apache2 openssl mod_ssl

Get the the certificate from the authority or use self singed SSL, Verify you have enabled SSL module in the existing apache installation

[root@ip-10-132-82-251 ~]# httpd -M  |grep ssl

Add the following lines in the apace main configuration file httpd.conf

[root@ip-10-132-82-251 ~]#  vi /etc/httpd/conf/httpd.conf 
###FOR SSL
NameVirtualHost *:443
<IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
    Listen 443
</IfModule>
<IfModule mod_gnutls.c>
    Listen 443
</IfModule>

Create the Virtual Hosts

Once you downloaded all required files for SSL, proceed to creating Vhost.

Here is the Vhost entry that I used

[root@ip-10-132-82-251 ~]# vi /etc/httpd/conf.d/domain1-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName domain1.mydomain.com
        DocumentRoot "/opt/web-home/domain1/public_html"
        <Directory />
                Options FollowSymLinks
                AllowOverride all
        </Directory>
        <Directory /opt/web-home/domain1/public_html>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride all
                Order allow,deny
                allow from all
        </Directory>
        ScriptAlias /cgi-bin/ /opt/web-home/domain1/public_html/cgi-bin/
        <Directory "/opt/web-home/domain1/public_html/cgi-bin/">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/ssl/certs/planetcure.in.crt
SSLCertificateKeyFile /etc/ssl/certs/planetcure.in.key
SSLCertificateChainFile /etc/ssl/certs/planetcure.in.csr
SSLCACertificateFile /etc/ssl/certs/planetcure.in.ca
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>
</IfModule>
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

You can also create more Vhost files using this entry. By changing the domain name and the SSL path.

Now restart the apache

[root@ip-10-132-82-251 ~]# service httpd restart

To verify the list of enabled vhost, use the below command

[root@ip-10-132-82-251 ~]# apachectl -S
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:443                  is a NameVirtualHost
         default server domain1.planetcure.in (/etc/httpd/conf.d/domain1-ssl.conf:2)
         port 443 namevhost domain1.planetcure.in (/etc/httpd/conf.d/domain1-ssl.conf:2)
         port 443 namevhost domain2.planetcure.in (/etc/httpd/conf.d/domain2-ssl.conf:2)
Syntax OK

Phew, these domains having their own SSL with single IP 🙂

Info: Linux I/O Performance Tests For HDD ageing calculation

Posted on Updated on

Hard Disk Data Transfer Speed measuring technique

How do you find out how fast is your hard disk under Linux? Is it running at SATA I (150 MB/s) or SATA II (300 MB/s) speed without opening computer case or chassis?

hdparm -tT /dev/sda
Output:
/dev/sda:
 Timing cached reads:   19884 MB in  2.00 seconds = 9954.83 MB/sec
 Timing buffered disk reads: 276 MB in  3.00 seconds =  91.88 MB/sec

To find HDD supported speed

hdparm -I /dev/sda | grep -i speed

Output:

       *    Gen1 signaling speed (1.5Gb/s)
       *    Gen2 signaling speed (3.0Gb/s)
       *    Gen3 signaling speed (6.0Gb/s)

Similarly you can use the dd command as follows to get speed info too:

Disk speed indicative of performance, different test different things,  on virtual environments (such as OpenVZ and KVM) and dedi, some tests might be better for some of them.

You can use the dd command as follows to get speed info too:

dd if=/dev/zero of=test bs=64k count=16k conv=fdatasync 
16384+0 records in 
16384+0 records out 
1073741824 bytes (1.1 GB) copied, 24.6998 s, 43.5 MB/

How to judge your result (note that this is only accurate for the exact test above)

  • 0-25 MB/s -> Garbage
  • 25-70 MB/s -> Acceptable
  • 70-120 MB/s -> Good
  • >120 MB/s -> Excellent