Categories
Applications AWS EC2 Elastic Search Linux Security Security/Vulnerability SSH

SSH Tunneling

We have been in situations where we have a server or a service like RDS (Database), Elastic Search, etc. that are in a private network like a VPC (AWS) or a VN (Azure).

Putting them as public to access them from the local machine is not secure and it is considered as a bad practice.

How to do it?

SSH tunneling is a way to connect to services behind a bastion server without ever exposing those servers to the public. With SSH tunneling, you enjoy the local access without leaving the comfort and security of your SSH connection.

To do it, enter the following command – here we are assuming you are accessing Elastic search in AWS

ssh -N -L 10443:vpc-vignesh-test-es-he7d3f9f7grf7dgqi9qjkqed83.ap-south-1.es.amazonaws.com:443 -i key.pem username@bastion_server_ip

Now if your key has a passphrase, you’ll be asked to enter it now and once that is done, hit enter and the terminal will run the tunnel (You will not see the next prompt and closing that terminal will stop the tunnel)

Accessing your ES

Now to access the Kibana of your Elastic search, open your browser and enter the following URL

https://localhost:10443/_plugin/kibana/

You will see a SSL error, so click on advanced option and click on I understand the risk and continue.

That’s it.

Categories
Application Gateway Applications Azure Security Security/Vulnerability

Add basic auth in Tomcat 8.5

Open tomcat-users.xml with the following command

sudo vim /usr/share/tomcat/conf/tomcat-users.xml

Enter the following content inside the <tomcat-users> </tomcat-users> tag

<role rolename="tomcat"/>
<user username="the-user-name" password="th3-p@$$w0rd" roles="tomcat"/>

Now open the web.xml file inside your application with the following command

sudo vim /usr/share/tomcat/webapps/ROOT/WEB-INF/web.xml

and enter the following content inside the <web-app> </web-app> tag

<security-constraint>
		<web-resource-collection>
			<web-resource-name>Wildcard means whole app requires authentication</web-resource-name>
			<url-pattern>/*</url-pattern>
			<http-method>GET</http-method>
			<http-method>POST</http-method>
		</web-resource-collection>
		<auth-constraint>
			<role-name>tomcat</role-name>
		</auth-constraint>

		<user-data-constraint>
			<!-- transport-guarantee can be CONFIDENTIAL, INTEGRAL, or NONE -->
			<transport-guarantee>NONE</transport-guarantee>
		</user-data-constraint>
	</security-constraint>

	<login-config>
		<auth-method>BASIC</auth-method>
	</login-config>

Restart tomcat with the following command

sudo systemctl restart tomcat

The basic auth should now be set.

Additional info:

If you are using Azure application gateway and you are getting a 502 error, setup a health probe for that HTTP settings like the following screenshot

Categories
Applications AWS EC2 Firewall Linux NethServer OpenVPN Roundcube Security/Vulnerability

NethServer on AWS

If you ever wanted to setup a VPN server, mail server, mail box, web server, or nextcloud (an open source google drive alternative), then you can go through this blog and set it up in minutes using NethServer.

NethServer new management web UI at 9090 port

Since AWS does not provide a NethServer AMI by default via MarketPlace or Community AMI, I had to make a VM image in my local server, modify it, import it to AWS and then modify it again and make it working for AWS.

I have made that image public and it is available in the Mumbai region. If you need it in any other region, contact me or you can make an AMI after launching the server in the Mumbai region and transfer it to whichever region you like.

So to setup a NethServer in AWS, below are the steps you have to follow

Setting up EC2

The instance

Go to the AWS EC2 console and click on Launch Instance

There go to Community AMIs and search for NethServer or you can search the below AMI ID. Do note that this AMI ID might change if I update the AMI

ami-0c0dc2c9b42edfa60

Security group rules

The security group should allow the following as per requirement for accessing the server

For the latest management web UI, open the port 9090 inbound

For old management web UI, open port 980 inbound

For SSH Access, open port 22 inbound

You can keep outbound access as full open for all traffic.

User Access

The NethServer AMI by default comes with a user. The details are as follows

Username: admin
Password: Nethserver@123

Domain/Other details

By default, this AMI comes with the FQDN ami.vigneshn.in

This can be changed and there are also my contact details in the Company name space so you can change it according to your requirements.

Also note that you have to change the FQDN before you install LDAP in account providers (Users and Groups).

You can also use Active directory (external) for user and group management.

Also you need to setup LDAP to change the password of the default admin user

Known caveats

Currently there is an issue with Nethserver where it requrires a green interface at any cost, without which it will throw and error at ipconf step.

To fix this, create a network interface in AWS and attach it to the instance.

Make this a green network and if your ip is 172.20.20.20 for the network interface, then give that as static in for green and the subnet mask as 255.255.255.0 and the gateway as 172.20.20.1

Documentation

For more details on how to set up the individual services in NethServer, you can visit the NethServer documentation here.