VPC Security! it’s a must!

In this blog post we are going to take a look into Security Groups and Network Access Control List (NACL) in AWS. 

Also to understand what is the difference between them and how can we used them to increase our security in the cloud.

Security Groups

Before we going to talk on security group it’s important that you know how it’s looked like in AWS.

AWS Security groups

So what are security groups?!

  1. Control how traffic is allowed into or out of your EC2 Machine.
  2. Security groups are stateful (Return traffic is automatically allowed)
    • if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules.
  3. Can be attached to multiple instances
  4. Lockdown to a Region/VPC
  5. All inbound traffic is blocked by default
  6. All outbound traffic is authorised by default
  7. You can specify allow rules, but not deny rules.

You can also reference another security group instead of IP

Let’s take an example of that

 In this example we can see that EC2-1 and EC2-2 are allowed to send traffic to EC2-3.

Because EC2-3 have security group (named SG-200) with inbound rule that allowing access to any machine that have a security group (named SG-100) assigned to her.

Inbound EC2-3


SourceProtocolPort rangeDescription
The security group ID (sg-100)AllAllAllow inbound traffic from network interfaces (and their associated instances) that are assigned to the same security group.
Security group example

Now lets talked about Network Access Control List (NACL).

AWS NACL

Key Notes about NACL

  • Control traffic between different subnets in the same VPC
  • Stateless – We need to explicitly  open outbound traffic
  • Works at Subnet level – automatically applied to all instance
  • Contains both Allow and Deny rules
  • Rules are evaluated in the order of rule number 
  • Default NACL allows all inbound and outbound traffic
  • NACL are a great way of blocking a specific IP at the subnet level 
Inbound




Rule #TypeProtocolPort rangeSourceAllow/Deny
100All IPv4 trafficAllAll0.0.0.0/0ALLOW
*All IPv4 trafficAllAll0.0.0.0/0DENY
Outbound




Rule #TypeProtocolPort rangeDestinationAllow/Deny
100All IPv4 trafficAllAll0.0.0.0/0ALLOW
*All IPv4 trafficAllAll0.0.0.0/0DENY
NACL Example

Most important – by default subnets in the same VPC can communicate without any restrictions that is because NACL by default permits traffic inside the VPC.

It’s always recommended to use NACL to limit access between subnets.

Compare security groups and network ACLs

The following table summarizes the basic differences between security groups and network ACLs.

Security groupNetwork ACL
Operates at the instance levelOperates at the subnet level
Supports allow rules onlySupports allow rules and deny rules
Is stateful: Return traffic is automatically allowed, regardless of any rulesIs stateless: Return traffic must be explicitly allowed by rules
We evaluate all rules before deciding whether to allow trafficWe process rules in order, starting with the lowest numbered rule, when deciding whether to allow traffic
Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later onAutomatically applies to all instances in the subnets that it’s associated with (therefore, it provides an additional layer of defense if the security group rules are too permissive)
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison

SSH to your Linux Server using Google Authenticator app

In this section, we will learn how to secure your ssh connection with MFA using Google authenticator app.

Before we start go ahead and download the google authenticator app to your mobile device.

After you successfully downloaded and install the google authenticator app on your mobile device go to your Linux server and install the google-authenticator PAM module by typing this command:

swarm@swarm3:~$ sudo apt install libpam-google-authenticator
Reading package lists... Done
Building dependency tree       
Reading state information... Done
libpam-google-authenticator is already the newest version (20191231-2).
0 upgraded, 0 newly installed, 0 to remove and 75 not upgraded

After the installation complete type following command:

swarm@swarm3:~$ google-authenticator

  • Follow the instructions and scan the bar-code by your google authenticator mobile app
  • You can type yes for every question that you encounter during the process of setting up the Google authentication app
  • After completion save the emergency scratch codes in a secure location, you will need it in case you lose your phone
  • You can do this process for every user on your Linux server.

Now we will need to enable “ChallengeResponseAuthentication” in the ssh config file.

swarm@swarm3:~$ sudo vi /etc/ssh/sshd_config

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes

Don’t forget to save the file by pressing :qw


Restart the SSH service:

swarm@swarm3:~$ sudo systemctl restart ssh


The final step is to add the google authentication module to the PAM ssh config file:

swarm@swarm3:~$ sudo vi /etc/pam.d/sshd

Add this line to the end of the config file and save the file:

auth required pam_google_authenticator.so

That’s it, now you can ssh to your server using google authentication

Verfication code: Enter the code that presented in your google authenticator app in your mobile device.

Install Zabbix Server 5.0 LTS on CentOS 8.

Zabbix Server depends on the following software applications:

  • MySQL database server
  • Apache web server
  • PHP with required extensions
  • For this installation I used this image CentOS-8.2.2004-x86_64-minimal

If you’re not a fan of SELinux, I recommend to you set it in Permissive mode.

setenforce 0 && sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config

Install and configure Zabbix server for your platform

a. Install Zabbix repository

# rpm -Uvh <https://repo.zabbix.com/zabbix/5.0/rhel/8/x86_64/zabbix-release-5.0-1.el8.noarch.rpm>
# dnf clean all

b. Install Zabbix server, frontend, agent

# dnf install zabbix-server-mysql zabbix-web-mysql zabbix-apache-conf zabbix-agent

Install MySQL Server on CentOS 8

Install MySQL Database Server

sudo dnf install mysql-server

Activate the MySQL service using the command below:

sudo systemctl start mysqld.service
sudo systemctl enable mysqld

Secure MySQL by changing the default password for MySQL root:

mysql_secure_installation
Enter current password for root (enter for none): Press the Enter
Set root password? [Y/n]: Y
New password: <Enter root DB password>
Re-enter new password: <Repeat root DB password>
Remove anonymous users? [Y/n]: Y
Disallow root login remotely? [Y/n]: Y
Remove test database and access to it? [Y/n]: Y
Reload privilege tables now? [Y/n]: Y

Once Database server is installed, you need to create a database for Zabbix user:

c. Create initial database

Run the following on your database host.

Don’t forget to change the password befor you copy this code.

mysql -uroot -p
password
mysql> create database zabbix character set utf8 collate utf8_bin;
mysql> create user zabbix@localhost identified by 'password';
mysql> grant all privileges on zabbix.* to zabbix@localhost;
mysql> quit;

Import Zabbix Server database schema

zcat /usr/share/doc/zabbix-server-mysql*/create.sql.gz | mysql -uzabbix -p zabbix

d. Configure the database for Zabbix server

Edit file /etc/zabbix/zabbix_server.conf

DBPassword=password

Configure PHP for Zabbix frontend

e. Configure PHP for Zabbix frontend

Edit file /etc/php-fpm.d/zabbix.conf, uncomment and set the right timezone for you.

; php_value[date.timezone] = Asia/Jerusalem

File Example:

php_value[max_execution_time] = 300
php_value[memory_limit] = 128M
php_value[post_max_size] = 16M
php_value[upload_max_filesize] = 2M
php_value[max_input_time] = 300
php_value[max_input_vars] = 10000
php_value[date.timezone] = Asia/Jerusalem

Configure firewall

firewall-cmd --add-service={http,https} --permanent
firewall-cmd --add-port={10051/tcp,10050/tcp} --permanent
firewall-cmd --reload

Start Zabbix server and agent processes

f. Start Zabbix server and agent processes

Start Zabbix server and agent processes and make it start at system boot.

systemctl restart zabbix-server zabbix-agent httpd php-fpm
systemctl enable zabbix-server zabbix-agent httpd php-fpm

Open Zabbix URL: http://<server_ip_or_name>/zabbix in your browser.

https://computingforgeeks.com/wp-content/uploads/2020/05/zabbix-5-web-1.png

Confirm that all pre-requisites are satisfied.

Configure DB settings

Finish installation

Configure Email notification’s

AWS S3 Bucket – Secure File Sharing

In this blog post, we will create s3 bucket with a policy that only allow us to connect to a specific folder in the bucket and from specific ip.

The Main Advantages of this service:

  • Unlimited storage
  • Low Cost
  • Ability to transfer data to Cold/Archive Storage
  • Limit Access by IP and Folder
  • Have backup/redundancy
  • Can be created in any region.

Disadvantages

  • Hard to manage Users
  • Need basic knowledge with JSON and AWS
  • Limited to specific sftp client that support S3 Buckets

Lets Start,first lets create S3 Bucket

To create a bucket

  1. Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.
  2. Choose Create bucket.
  3. In Bucket name, enter a DNS-compliant name for your bucket. The bucket name must:
    • Be unique across all of Amazon S3.
    • Be between 3 and 63 characters long.
    • Not contain uppercase characters.
    • Start with a lowercase letter or number.After you create the bucket, you can’t change its name. For information about naming buckets, see Rules for bucket naming in the Amazon Simple Storage Service Developer Guide. Important Avoid including sensitive information, such as account numbers, in the bucket name. The bucket name is visible in the URLs that point to the objects in the bucket.
  4. In Region, choose the AWS Region where you want the bucket to reside. Choose a Region close to you to minimize latency and costs and address regulatory requirements. Objects stored in a Region never leave that Region unless you explicitly transfer them to another Region. For a list of Amazon S3 AWS Regions, see AWS service endpoints in the Amazon Web Services General Reference.
  5. In Bucket settings for Block Public Access, choose the Block Public Access settings that you want to apply to the bucket. (Please leave all settings enabled )
  6. After you successfully created a bucket Lets enter to the bucket and create Home Folder and inside the Home Folder we will create 2 more folder 1 in the name Devops and the second IT.

Now lets Create the IAM Policy

To create your own IAM policy

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. Choose Policies, and then choose Create Policy. If a Get Started button appears, choose it, and then choose Create Policy.
  3. In the create policy select the JSON Tab and paste this code. (Don’t forget to change the <Bucketname> and <YourpublicIP> in the JSON file to your actual bucket and your public ip where you coming from)
  4. Click on Review Policy give the policy a name and click on Create Policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUsersToAccessFolder2Only",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject*",
                "s3:PutObject*"
            ],
            "Resource": [
                "arn:aws:s3:::<Bucketname>/Home/Devops/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<Bucketname>"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "Home/Devops/**"
                    ]
                }
            }
        },
        {
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": [
                        "<YourpublicIP>"
                    ]
                },
                "Bool": {
                    "aws:ViaAWSService": "false"
                }
            }
        }
    ]
}

After we created the policy lets create a IAM User and attached to him the new policy that we just created.

Creating IAM users (console)

You can use the AWS Management Console to create IAM users.

To create one or more IAM users (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, choose Users and then choose Add user.
  3. Type the user name for the new user.
  4. Select the type of access this set of users will have. We will select programmatic access

Type the name of the policy that you previously created

Click next and Create A user.

Save the access key ID and secret access key in a secure location we will use it to connect to our bucket.

Thats it!! Lets now connect to our S3 Bucket

  1. Download Winscp
  2. File Protocol – Amazon S3
  3. Click on advance and put the remote directory
  4. Enter the key ID and Access key and click login

Change Docker Root Directory location.

In this post i am going to show you how to find the Docker Root Directory and how to change the location so that docker can save the files in some other location (For Backup or High Availability).

This is the commands to find and verify the Docker Root Folder.

root@master:~# docker info | grep -i root
 Docker Root Dir: /var/lib/docker

root@master:~# sudo du -sh /var/lib/docker/
2.7G    /var/lib/docker/

root@master:~# cd /var/lib/docker/
root@master:/var/lib/docker# ll
total 56
drwx--x--x 14 root root 4096 Nov 16 11:31 ./
drwxr-xr-x 40 root root 4096 Nov 16 07:53 ../
drwx------  2 root root 4096 Nov 16 07:53 builder/
drwx--x--x  4 root root 4096 Nov 16 07:53 buildkit/
drwx------  2 root root 4096 Nov 17 12:58 containers/
drwx------  3 root root 4096 Nov 16 07:53 image/
drwxr-x---  3 root root 4096 Nov 16 07:53 network/
drwx------ 46 root root 4096 Nov 17 12:58 overlay2/
drwx------  4 root root 4096 Nov 16 07:53 plugins/
drwx------  2 root root 4096 Nov 16 11:31 runtimes/
drwx------  2 root root 4096 Nov 16 07:53 swarm/
drwx------  2 root root 4096 Nov 17 12:42 tmp/
drwx------  2 root root 4096 Nov 16 07:53 trust/
drwx------ 13 root root 4096 Nov 16 13:41 volumes/

To change the location of the Root Directory

  • Stop all containers
  • Stop the Docker servicer
sudo systemctl stop docker

After all the above was done.We need to enter to the docker config file.

sudo vi /lib/systemd/system/docker.service

Now we need to move the docker folder form his old location to the new one.

root@master:/var/lib/docker# sudo rm -rf /mnt/docker

root@master:/var/lib/docker# ls /mnt/

root@master:/var/lib/docker# mv docker /mnt/

After we moved the folder we need to start the service again.

sudo systemctl restart docker

That’s it you ready to keep using Docker 🙂

Setup Snipe-IT on Ubuntu.

Snipe-IT Open Source Asset Management

Installation Details

  • Infrastructure: AWS
  • AMI ID: RHEL-8.2.0_HVM-20200423-x86_64-0-Hourly2-GP2 (ami-07dfba995513840b5)
  • Instance type : t2.medium
  • Instance Hardware: 2vcpu , 4G Memory.

What is it Snipe-IT

Snipe-IT was made for IT asset management, to enable IT departments to track who has which laptop, when it was purchased, which software licenses and accessories are available, and so on.


Lets Start:

Update Ubuntu:

sudo apt update
sudo apt upgrade

Install Apache2 HTTP:

sudo apt install apache2 -y

To find out if Apache2 HTTP server is installed, simply open your web browser and type in the server’s IP or hostname.

When you see the page similar to the one below, then Apache2 is installed and working.

apache2 ubuntu install

Install PHP:

sudo apt install php -y
sudo apt install php7.2-mbstring php7.2-curl php7.2-mysql php7.2-ldap php7.2-zip php7.2-bcmath php7.2-xml php7.2-gd -y

Install MySQL:

sudo apt install mysql-server -y

Create the database:

sudo mysql -u root

You should now have the mysql prompt mysql>

Create the database and the user and grant permissions to the user.

mysql> create database snipeit;
mysql> create user snipe_user;
mysql> grant all on snipeit.* to 'snipe_user'@'localhost' identified by 'YOUR_DB_PASSWORD';
mysql> exit (to leave the mysql shell)
sudo apt install git vim -y

Download Snipe-IT into the web server directory:

sudo mkdir /var/www/html/snipe-it
sudo chown yourusername:yourusername /var/www/html/snipe-it

cd to the new directory and download

cd /var/www/html/snipe-it
git clone https://github.com/snipe/snipe-it .

Set up Snipe-IT config file:

Copy the .env.example file to a new .env file and open it in your text editor.

cp .env.example .env
vim .env

Make sure APP_ENV is set to production and APP_DEBUG is set to false

APP_ENV=production
APP_DEBUG=false

Setup APP_URL:

This is the url to your application, beginning with http:// or https:// (if you’re running Snipe-IT over SSL). This should not have a trailing slash, and you should not have public in the URL.Images and javascript will not load correctly if this is not set to EXACTLY the URL you access your Snipe-IT app from.

You can set APP_URL to an IP address for setup or testing and change it to another domain name later.

APP_URL=your.domain.name

Set the timezone. Use one of the PHP supported time zone strings from https://www.php.net/manual/en/timezones.php

APP_TIMEZONE='YOURTIMEZONE'

Set your language. Default is English (en). See https://snipe-it.readme.io/docs/configuration#section-setting-a-language:

APP_LOCALE=en

Fill in the database settings with the database name, database user name and password you created in the mysql setup step:

DB_DATABASE=snipeit
DB_USERNAME=snipe_user
DB_PASSWORD=YOUR_DB_PASSWORD

Install snipe-IT dependencies

Make sure you are still in the snipe-it directory. If you are following this guide it will be /var/www/html/snipe-it

cd /var/www/html/snipe-it

Snipe-IT uses a PHP dependency manager called Composer to manage its dependencies so install it and then install the dependencies: (This might take a few minutes)

curl -sS https://getcomposer.org/installer | php
php composer.phar install --no-dev --prefer-source

Generate your app key

php artisan key:generate

This will generate an encryption key and set APP_KEY in your .env file. Copy the key and save it in secure location.

Grant appropriate filesystem permissions so apache can access the files:

sudo chown -R yourusername:www-data /var/www/html/snipe-it

Now remove group write permission from the files. There’s no reason for apache to be able to write to all these files:

sudo chmod -R g-w /var/www/html/snipe-it

Now add back write permission for the areas we want Snipe-IT to be able to write to:

sudo chmod -R g+w /var/www/html/snipe-it/storage
sudo chmod -R g+w /var/www/html/snipe-it/public/uploads

Configure the server

Copy the default vhost file and open the copy in your text editor.

sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/snipe-it.conf
sudo vim /etc/apache2/sites-available/snipe-it.conf

Edit the file to look like this:

<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port 
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html/snipe-it/public

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn
        ServerName 10.64.118.91

        <Directory /var/www/html/snipe-it/public>
                Allow From All
                AllowOverride All
                Options -Indexes
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

Save the file and close your text editor

Disable the old default vhost and enable your new vhost

sudo a2dissite 000-default.conf
sudo a2ensite snipe-it.conf

Also enable mod_rewrite

sudo a2enmod rewrite
sudo systemctl reload apache2

And we finish! you can now point your web browser at the address of your web server.You should get the Snipe-IT Pre-Flight and your Pre-Flight check should be all green check mark.

%d bloggers like this: