• Setting default file permissions for all folders/files in a directory

    Say you want to set a folder such that anything created within it (directories, files) inherit default permissions and group.

    Let’s call the group “users”. And also, the folders/files created within the directory should have g+rw automatically.

    To do this follow below steps:
    [bash]
    chmod g+s /path/to/directory //set gid
    setfacl -d -m g::rwx /path/to/directory //set group to rwx default
    setfacl -d -m o::rx /path/to/directory //set other
    [/bash]
    Now verify
    [bash]
    getfacl /path/to/directory
    [/bash]
    Output:
    [bash]
    # file: ../path/to/directory/
    # owner: <user>
    # group: media
    # flags: -s-
    user::rwx
    group::rwx
    other::r-x
    default:user::rwx
    default:group::rwx
    default:other::r-x
    [/bash]
    Why chmod g+s?

    This will ensure that new content in the directory inherits the group ownership.

    Note: ACL must be enabled (included as one of the mount options for the mounted file system) for the file permissions to be inherited.

  • FreeIPA User Account Locked

    When using FreeIPA windows there are time when user lock themself. And when we check FreeIPA UI we don’t see any problem. Actually the problem is user is locked out in Kerberos Database. Hence to make it work we have to unlock the user in kerberos database. Below are the steps.

    [bash]
    # kadmin.local
    kadmin: getprinc mohan
    [/bash]

    Below is the output from above command.

    Principal: mohan@LOCALDOMAIN.INTERNAL

    Last successful authentication: [never]
    Last failed authentication: Thu Sep 03 11:30:33 IST 2014
    Failed password attempts: 4

    To unlock the user below is the command.

    [bash]
    kadmin: modprinc -unlock mohan
    [/bash]

  • Apache DocumentRoot must be directory

    You have created a separate partition for you htdocs folder and mounted it on /path/to/documentroot. However, when you try to start Apache you get following error ‘DocumentRoot must be directory’.

    This is due to SELinux to get Apache working you have 2 ways

    1. Crude way:- disable SELinux altogether
    2. Eligible way:- set SELinux context to that directory

    Crude way:- disable selinux altogether

    Follow below steps:

    [bash]
    vi /etc/selinux/config
    Change ‘SELINUX=enforcing’ to ‘SELINUX=disabled’
    Restart your system
    [/bash]

    Eligible way:- set SELinux context to that directory

    First check the SELinux context of the directory with following command.

    [bash]
    ls -laZ /path/to/documentroot
    [/bash]

    Follow below steps:

    [bash]
    chcon -R -h -t httpd_sys_content_t /path/to/documentroot
    [/bash]

    Verify the SELinux context

    [bash]
    ls -laZ /path/to/documentroot
    [/bash]

    Restart your Apache and it works :).

    Hope this saves your time.

     

  • Amazon VPC with OpenSwan and Cisco ASA Site-to-Site VPN

    Overview

    Recently my company want to achieve PCI compliance on Amazon. As per PCI compliance standard Database instance should listen on private IP and should not be accessible from outside world using public IP. This is not achievable using EC2 as instances are assigned public you want it or not. Also when Database is listening on private IP we needed VPN connectivity between amazon and our network. Hence I started looking into Amazon VPC. However, VPC VPN needs BGP to create site-to-site VPN and we being using Cisco ASA couldn’t use the VPC VPN option as BGP is not supported. Hence I started looking for alternate solution on web and found TechSmog article “OpenSwan, Amazon VPC, and Cisco ASA. Putting it all together.” this helped me a lot.

    Requirements

    My requirement were as follows:

    1. Allow communication between my companies local network and ec2 instances within the vpc and vice-versa.
    2. Allow communication between ec2 instances within the vpc on different network.
    3. Communication between must be somewhat secure.
    4. The ability to have all instances be able to route to the outside world, and have a few publically accessable IP.

    Network

    My office network:

    – 10.0.2.0/24 and 10.0.3.0/24 – office local networks 254 useable ip address each.
    – 10.0.0.1/32 – office ASA internal IP.
    – 1.2.3.4 – office ASA public IP.

    Amazon VPC:

    – 10.43.0.0/16 – the /16 subnet that is required for the outer vpc layer
    – 10.43.1.0/24 and 10.43.2.0/24 – the vpc subnets that I will be working with.
    – 10.43.1.254/32 – the internal private ip for the OpenSwan server.
    – 9.7.8.6/32 – the elastic IP I allocated from amazon vpc. This will be binded to OpenSwan to use for our IPSec tunnel, more on that later. Just remember I am using that as my external IP to connect our IPSec tunnel.

    Amazon VPC getting started:
    First off we want to create our VPC via the Amazon AWS Management Console.

    I pretty much followed the guide here:
    http://docs.amazonwebservices.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html

    1. Go to the VPC tab
    2. Find the Your Virtual Private Cloud area, and click Get started creating a VPC.
    3. I choose VPC with Public and Private Subnets, along with the information I provided above in the layout.
    4. Follow the steps to create the VPC.

    Adding the OpenSwan Server into our VPC:

    1. First we will need to Allocate a New Elastic IP within the VPC tab under Virtual Private Cloud -> Elastic IPs. This will be used for the openswan server.
    2. Once that is done, I went back to the EC2 tab, and launched an instance. I used the Basic 32bit Amazon Linux AMI
    1. I choose m1.small as my instance type
    2. Make sure to choose ‘Launch Instances Into Your Virtual Private Cloud’
    3. For instance details, I chose to assign it a private IP address of 10.43.1.254
    4. Choose my keypair, assigned it a name tag of ‘openswankey’
    5. For configure firewall, I chose allow all traffic from my public IP (1.2.3.4/32).
    6. I then associated the elastic IP to the running instance after it started up.

    I ssh’d into the instance using my key (ssh -i my-key.pem ec2-user@9.7.8.6), and I was brought to a shell, :yay:

    Configure the instance w/ OpenSwan:

    I followed TechSmog article which helped a lot I made few changes / amendments to make it work for my scenario.

    Here are the exact commands I ran after ssh’ing into the server, note the HOMEPUBLIC and HOMEPRIVATE should be changed according to your internal network:

    [bash]sudo yum update -y
    sudo yum -y install openswan openswan-doc ipsec-tools
    EC2PRIVATE=10.43.1.0
    EC2PUBLIC=`curl -s http://169.254.169.254/latest/meta-data/public-ipv4`
    HOMEPUBLIC=1.2.3.4
    HOMEPRIVATE=10.0.2.0/24
    PSK=`< /dev/urandom tr -dc a-zA-Z0-9_ | head -c30`
    echo “conn home” > /tmp/home.conf
    echo ” left=%defaultroute” >> /tmp/home.conf
    echo ” leftsubnet=$EC2PRIVATE/24″ >> /tmp/home.conf
    echo ” leftid=$EC2PUBLIC” >> /tmp/home.conf
    echo ” right=$HOMEPUBLIC” >> /tmp/home.conf
    echo ” rightid=$HOMEPUBLIC” >> /tmp/home.conf
    echo ” rightsubnet=$HOMEPRIVATE” >> /tmp/home.conf
    echo ” authby=secret” >> /tmp/home.conf
    echo ” esp=3DES-MD5″ >> /tmp/home.conf
    echo ” keyingtries=3″ >> /tmp/home.conf
    echo ” rekey=no” >> /tmp/home.conf
    echo ” keyexchange=ike” >> /tmp/home.conf
    echo ” ikelifetime=86400s” >> /tmp/home.conf
    echo ” pfs=yes” >> /tmp/home.conf
    echo ” forceencaps=no” >> /tmp/home.conf
    echo ” auto=start” >> /tmp/home.conf
    echo “” >> /tmp/home.conf
    echo “conn officesub2″ >> /tmp/home.conf
    echo ” rightsubnet=10.0.3.0/24″ >> /tmp/home.conf
    echo ” also=home” >> /tmp/home.conf
    echo “” >> /tmp/home.conf
    echo “conn vpcsub2″ >> /tmp/home.conf
    echo ” leftsubnet=10.43.2.0/24″ >> /tmp/home.conf
    echo ” also=home” >> /tmp/home.conf
    echo “” >> /tmp/home.conf
    echo “conn officevpcsub2″ >> /tmp/home.conf
    echo ” leftsubnet=10.43.2.0/24″ >> /tmp/home.conf
    echo ” also=officesub2″ >> /tmp/home.conf
    echo “$EC2PUBLIC $HOMEPUBLIC: PSK “$PSK”” > /tmp/home.secrets
    sudo sed ‘s!^#(include /etc/ipsec.d/*.conf)!1!’ /etc/ipsec.conf > /tmp/ipsec.conf
    sudo chmod 600 /tmp/home.* /tmp/ipsec.conf
    sudo chown root:root /tmp/home.* /tmp/ipsec.conf
    sudo mv /tmp/home.* /etc/ipsec.d
    sudo mv /tmp/ipsec.conf /etc
    sudo chkconfig ipsec on
    sudo /etc/init.d/ipsec start[/bash]

    Now on command line run following command
    [bash]iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE[/bash]

    At the end of this, I had OpenSwan up and running! I had /etc/ipsec.d/home.conf as my openswan configuration and /etc/ipsec.d/home.secrets as my preshared key! Awesome!

    Configuring the ASA:

    ASA Configs: Make sure to BACKUP before making these changes!

    Tunnel Group:
    [bash]tunnel-group 9.7.8.6 type ipsec-l2l
    tunnel-group 9.7.8.6 ipsec-attributes
    ! pre-shared-key (the key in /etc/ipsec.d/home.secrets on your openswan server)[/bash]

    Crypto Map:
    [bash]crypto map outside_map 6 match address outside_cryptomap_6
    crypto map outside_map 6 set pfs
    crypto map outside_map 6 set peer 9.7.8.6
    crypto map outside_map 6 set transform-set ESP-3DES-MD5
    crypto ipsec transform-set ESP-3DES-MD5
    access-list outside_cryptomap_6 extended permit ip 10.0.2.0 255.255.255.0 10.43.1.0 255.255.255.0
    access-list outside_cryptomap_6 extended permit ip 10.0.3.0 255.255.255.0 10.43.1.0 255.255.255.0
    access-list outside_cryptomap_6 extended permit ip 10.0.2.0 255.255.255.0 10.43.2.0 255.255.255.0
    access-list outside_cryptomap_6 extended permit ip 10.0.3.0 255.255.255.0 10.43.2.0 255.255.255.0[/bash]

    Internal Network Group:
    [bash]object-group myinternalnetwork1
    description My Internal Network that Will connect to EC2 VPC
    network-object 10.0.2.0 255.255.255.0[/bash]

    [bash]object-group myinternalnetwork2
    description My Internal Network that Will connect to EC2 VPC
    network-object 10.0.3.0 255.255.255.0[/bash]

    NAT Entries allowing Access from internal network to VPC:
    [bash]access-list inside_nat0_outbound extended permit ip object-group myinternalnetwork1 10.43.1.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip object-group myinternalnetwork2 10.43.1.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip object-group myinternalnetwork1 10.43.2.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip object-group myinternalnetwork2 10.43.2.0 255.255.255.0[/bash]

    Restarting IPSec on OpenSwan Instance:
    1. Log back into your openswan instance via ssh, and issue the commands sudo /etc/init.d/ipsec stop; sudo /etc/init.d/ipsec start
    2. You can check if the tunnel is up by issuing an /etc/init.d/ipsec status which should state if the tunnel is up or not, you can also check your ASA.

    That’s it you should now be able to connect your instances without any problems.

    Note:- If you are using windows instances you will need to reduce the MTU of interface on instance to 1200 from 1500 else you won’t be able to access your windows instance.

  • Change / Update SSL certificate for Amazon Elastic Load Balancer

    This is in continuation to Amazon ELB SSL Termination HowTo. Earlier we have seen how to setup Elastic Load Balancer with SSL termination on Amazon. Now we will see how do we change the SSL certification once we renew it or revoke it for some reason.

    To enable to change the certificate used by Elastic Load Balancer (ELB) we need to install the ELB and IAM command line tool. To install these tools you need to do as follows.

    1. Download and install Java JDK or JRE (minimum 1.6) from here.
    2. Set JAVA_HOME environment variable.
    3. Download and install IAM Client tool from here.
    4. Download and install ELB Client tool from here.

    Installing IAM tool

    Once downloaded the IAMCli.zip file extract the zip content now do the following:

    1. Create an environment variable AWS_IAM_HOME pointing to IAM client folder ‘AWS_IAM_HOME=/path/to/iam/folder’.
    2. Add $AWS_IAM_HOME/bin to your path (in Windows: %AWS_IAM_HOME%bin).
    3. Change $AWS_IAM_HOME/aws-credential.template change AWSAccessKeyId and AWSSecretKey to yours
    4. Create an environment variable AWS_CREDENTIAL_FILE pointing to aws-credential.template file ‘AWS_CREDENTIAL_FILE=$AWS_IAM_HOME/aws-credential.template’ (in windows ‘AWS_CREDENTIAL_FILE=%AWS_IAM_HOME%/aws-credential.template’).
    5. If you are behind proxy change $AWS_IAM_HOME/client-config.template (this is self explanatory).
    6. Create an environment variable CLIENT_CONFIG_FILE poting to client-config.template file ‘CLIENT_CONFIG_FILE=$AWS_IAM_HOME/client-config.template’ (in windows ‘CLIENT_CONFIG_FILE=%AWS_IAM_HOME%/client-config.template’).

    Installing ELB tool

    Once downloaded the ElasticLoadBalancing.zip file extract the zip content now do the following:

    1. Create an environment variable AWS_ELB_HOME pointing to ELB client folder ‘AWS_ELB_HOME=/path/to/elb/folder’.
    2. Add $AWS_ELB_HOME/bin to your path (in Windows: %AWS_ELB_HOME%bin).
    3. Now login to your AWS web console create the private file. You will be prompted to download the private key file save it as my-pk.pem.
    4. Now go to X.509 Certificate tab create your X509 certificate and download it save it as my-cert.pem.
    5. Now create an environment variable named EC2_CERT pointing to my-cert.pem ‘EC2_CERT=/path/to/my-cert.pem’.
    6. Now create an environment variable named EC2_PRIVATE_KEY pointing to my-pk.pem ‘EC2_PRIVATE_KEY=/path/to/my-pk.pem’.
    7. Now create an environment variable named SERVICE_JVM_ARGS to set JVM parameter if you are behind the proxy ‘SERVICE_JVM_ARGS=”-Dhttp.proxyHost=my.pro.xy.ip -Dhttp.proxyPort=8080 -Dhttps.proxyHost=my.pro.xy.ip -Dhttps.proxyPort=8080″.

    Now we are set to upload new certificates to Amazon and apply it to ELB. To upload new certificate we need following:

    1. New Certificate (PEM Encoded).
    2. Private Key (Used to generate the CSR PEM Encoded)
    3. Chain Certificate (Optional)

    Uploading the Certificate

    To upload the certificate to amazon issue below command on command line.

    iam-servercertupload -b domain_com.crt -c chain_cert.pem -k private.key -s NewCertificateName

    Now to verify that your certificate has been uploaded successfully issue following command on command line.

    iam-servercertlistbypath

    This will give output as follows

    arn:aws:iam::accountnumber:server-certificate/CertLB
    arn:aws:iam::accountnumber:server-certificate/CertLBNEW
    arn:aws:iam::accountnumber:server-certificate/UATCert
    IsTruncated: false

    Now its time to apply the new certificate to ELB. To do this issue following command on command line.

    elb-set-lb-listener-ssl-cert –region eu-west-1 –lb mylb –lb-port 443 –cert-id arn:aws:iam::accountnumber:server-certificate/CertLBNEW

    Now open your browser and go to your https://domain.com and verify that you have latest Certificate listed.