Category: Security

Categories
Applications AWS EC2 Elastic Search Linux Security Security/Vulnerability SSH

SSH Tunneling

We have been in situations where we have a server or a service like RDS (Database), Elastic Search, etc. that are in a private network like a VPC (AWS) or a VN (Azure).

Putting them as public to access them from the local machine is not secure and it is considered as a bad practice.

How to do it?

SSH tunneling is a way to connect to services behind a bastion server without ever exposing those servers to the public. With SSH tunneling, you enjoy the local access without leaving the comfort and security of your SSH connection.

To do it, enter the following command – here we are assuming you are accessing Elastic search in AWS

ssh -N -L 10443:vpc-vignesh-test-es-he7d3f9f7grf7dgqi9qjkqed83.ap-south-1.es.amazonaws.com:443 -i key.pem username@bastion_server_ip

Now if your key has a passphrase, you’ll be asked to enter it now and once that is done, hit enter and the terminal will run the tunnel (You will not see the next prompt and closing that terminal will stop the tunnel)

Accessing your ES

Now to access the Kibana of your Elastic search, open your browser and enter the following URL

https://localhost:10443/_plugin/kibana/

You will see a SSL error, so click on advanced option and click on I understand the risk and continue.

That’s it.

Categories
Application Gateway Applications Azure Security Security/Vulnerability

Add basic auth in Tomcat 8.5

Open tomcat-users.xml with the following command

sudo vim /usr/share/tomcat/conf/tomcat-users.xml

Enter the following content inside the <tomcat-users> </tomcat-users> tag

<role rolename="tomcat"/>
<user username="the-user-name" password="th3-p@$$w0rd" roles="tomcat"/>

Now open the web.xml file inside your application with the following command

sudo vim /usr/share/tomcat/webapps/ROOT/WEB-INF/web.xml

and enter the following content inside the <web-app> </web-app> tag

<security-constraint>
		<web-resource-collection>
			<web-resource-name>Wildcard means whole app requires authentication</web-resource-name>
			<url-pattern>/*</url-pattern>
			<http-method>GET</http-method>
			<http-method>POST</http-method>
		</web-resource-collection>
		<auth-constraint>
			<role-name>tomcat</role-name>
		</auth-constraint>

		<user-data-constraint>
			<!-- transport-guarantee can be CONFIDENTIAL, INTEGRAL, or NONE -->
			<transport-guarantee>NONE</transport-guarantee>
		</user-data-constraint>
	</security-constraint>

	<login-config>
		<auth-method>BASIC</auth-method>
	</login-config>

Restart tomcat with the following command

sudo systemctl restart tomcat

The basic auth should now be set.

Additional info:

If you are using Azure application gateway and you are getting a 502 error, setup a health probe for that HTTP settings like the following screenshot