So, you're in fancy pants AWS GovCloud and you need to sync between a directory on your EC2 instance and an S3 bucket, right? ARE YOU IN LUCK MY FRIEND:
What you'll need:
1. An AWS access key and the corresponding secret key. You can find these in IAM and create one just for this; however, you are limited to 2 AWS access keys for any API fancy connections. Always save your keys somewhere super safe.
2. Some EC2 instance that you need to either backup or sync contents.
How to:
1. On your EC2 instance you first need to setup "aws configure" to let the instance know HOW to connect to your s3 bucket with your credentials, so we're going to type:
[ec2-user@ip]$ aws configure
2. This will bring up the following prompts and these instructions are for GovCloud users, but you can use whatever region you are in:
a. Paste in your access key ID: AWS Access Key ID [ ]:
b. Paste in your secret key: AWS Secret Access Key [ ]:
c. Enter your default region name: Default region name [ ]: us-gov-west-1
i. NOTE: This has to be exact otherwise the aws command line will not know how to get to your bucket. If you don't know it, login to S3, click on any file you have in there and take a look at the properties, then check out the "Link:". Everything after the "s3-" up to the first "." is your region. E.g., mine is always s3-us-gov-west-1.amazonaws.com. So my region is: us-gov-west-1
d. Leave default output format at none: Default output format [None]:
e. Hit enter at the last step and it will spit you back out to the command prompt.
3. Yay! That part is done. Now we can test by listing the contents of a bucket:
aws s3 ls s3://nameofbucket
Note: You literally just need the name of the bucket in S3. So you don't need to put s3-us-gov-west-1.amazonaws.com/bucketofstuff ... from here on out, just but s3://bucketofstuff
4. If that worked you should see a nice ls listing of your bucket on s3! We're getting closer!
5. Now to test syncing all the data FROM an S3 bucket to a directory on your EC2 instance:
a. cd into the directory you'd like the data in first
b. Then type: aws s3 sync s3://nameofbucket .
c. It should now spit out the downloaded files into the directory your in. Sweet!
d. I'm old school so I want to SEE the data I'm putting in a dir, but yes, you can skip the "." and put in the literal path, e.g., /home/ec2-user/stuff or whatever dir you're syncing data with.
6. Now to go the other way:
aws s3 sync /name/of/dir/ s3://nameofbucket
a. Note: this will push EVERYTHING in the dir to the s3 bucket and overwrite
b. In the case of the step 5 example where we're IN the directory we're putting data in, you'd just type: aws s3 sync . s3://nameofbucket
7. AWESOME. Now you can setup a crontab for backups or get super-mega-fancy and put the AWS command line stuff on your Windows or Mac and push to S3 from ANYWHERE! Just remember to always have your AWS access key's handy and you're set.
P.S. If you get lost, here's the S3 command line page and it will show you how to do wget's, cp's, and of course sync.
P.P.S. Don't forget to check permissions on your S3 bucket if you can't upload/download. You'll need to have at least "Upload/Delete" for an authenticated AWS user.
Tuesday, April 5, 2016
Amazon AMI Linux Apache PHP Baseline Setup
Most of my web apps are just basic Apache with PHP. Here's a quick install for the bare minimums with support for ssl, mbstring, and gd libraries. Important if you'd like to do some file management stuff on the front end:
sudo yum install -y httpd php mod_ssl php-mbstring php-gd
That will get you rolling with some fancy pants PHP mods!!
Don't forget to mod your /etc/php.ini for file size and all that jazz.
sudo yum install -y httpd php mod_ssl php-mbstring php-gd
That will get you rolling with some fancy pants PHP mods!!
Don't forget to mod your /etc/php.ini for file size and all that jazz.
Friday, March 25, 2016
SuSE SLES 12 Single User Mode w/ Networking
For some crazy reason, SAMBA on my brand new SLES12 box was corrupt/wonky/broken. So, no logins, and a weird "module is unknown" error when you would attempt to login with correct credentials; only to be told get outta here.
I scoured the Google's looking for help and was able to patch together something to get it working ... or at least get networking in single user mode to work! Here's the steps:
1. Reboot/Startup your box and hold shift at the Grub bootup screen
2. Once at the SuSE splash screen, press "e" key for edit into Grub.
3. You should now be at the Grub 2.0 screen, find the line that starts with "linux" and press END key.
4. At the end of that line, type in "single", then hit F10 to save/boot up.
5. Now, you should be taken to single user mode, enter root's password and BANG! you're in!
6. Now, this is the weird part to get the network to start: You need to wait a good minute for all of the bootup scripts and services to start, then (and only then) can you get the NIC to load/activate on the network with your previous network settings so we can get to zypper or apt-get and reload/update everything. Once you've waited enter:
/sbin/service network start
You should now have super fun times network access so you can zypper update/install things to your hearts content! You're welcome!!
I scoured the Google's looking for help and was able to patch together something to get it working ... or at least get networking in single user mode to work! Here's the steps:
1. Reboot/Startup your box and hold shift at the Grub bootup screen
2. Once at the SuSE splash screen, press "e" key for edit into Grub.
4. At the end of that line, type in "single", then hit F10 to save/boot up.
/sbin/service network start
You should now have super fun times network access so you can zypper update/install things to your hearts content! You're welcome!!
Wednesday, March 4, 2015
Mod_Security - Get 401 Errors Out of Relevant Status Logs!
Congrats, you're on your way to hard core security with mod_security! But now you're audit log is filling up faster than a North Dakota Bear at a Golden Coral (Sorry, Brian) with general errors that DO NOT trigger any mod_sec rules.
Normally, out of the box, you'll have mod_security's SecAuditEngine rules set like so:
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04)"
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Serial
SecAuditLog "|bin/rotatelogs.exe -l -f f:/logs/%Y-%m-%d-modsec-audit.log 86400"
Or ... something close to that. Let's break down the REGEX on the line for SecAuditLogRelevantStatus:
?:5 -- Log anything that is a 500 level error, e.g., 500 Internal Server Error or the lovely 503 Service Unavailable.
4(?!04) -- Log any 400 level error EXCEPT for any 404 errors.
I'm all for the 500 level errors being logged as those should never happen, but for my modsec_audit log I'm FILLING up with about a million 401's that I could care less about. Apache is going to grab these anyway in a much more compressed format, so I don't need to also see these in my modsec log. So, to fix that (and if you're a REGEX noob like me) just modify that 4(?!04) line to read:
"^(?:5|4(?!04|01)"
By adding that "|01" to the end, we're just saying any 404 OR 401's, which, Apache is going to grab for you anyway.
Hope that clears up your mod_sec logs!!
Normally, out of the box, you'll have mod_security's SecAuditEngine rules set like so:
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04)"
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Serial
SecAuditLog "|bin/rotatelogs.exe -l -f f:/logs/%Y-%m-%d-modsec-audit.log 86400"
Or ... something close to that. Let's break down the REGEX on the line for SecAuditLogRelevantStatus:
?:5 -- Log anything that is a 500 level error, e.g., 500 Internal Server Error or the lovely 503 Service Unavailable.
4(?!04) -- Log any 400 level error EXCEPT for any 404 errors.
I'm all for the 500 level errors being logged as those should never happen, but for my modsec_audit log I'm FILLING up with about a million 401's that I could care less about. Apache is going to grab these anyway in a much more compressed format, so I don't need to also see these in my modsec log. So, to fix that (and if you're a REGEX noob like me) just modify that 4(?!04) line to read:
"^(?:5|4(?!04|01)"
By adding that "|01" to the end, we're just saying any 404 OR 401's, which, Apache is going to grab for you anyway.
Hope that clears up your mod_sec logs!!
Friday, February 20, 2015
Windows Firewall IP Scope Limit is 1000 Entries
1,000 ENTRIES IS THE MAX WINDOWS FIREWALL RULES WILL ACCEPT.
For the longest time, we've been building in-house security tools to keep bad actors out of our Apache, or at the least, keep them from banging on our ports. One of the C# tools we built will do a REGEX search in Apache's logs and if it sees something fishy will automatically add it to the Windows Firewall via an inbound rule for port 80 and 443 we created called "Block Apache Punks". (It used to have a very rated R name before. They made me change it. Use your imagination). Here's what it normally looks like when you're making an individual IP entry:
And then when you hit OK, it'll appear that it's taking it, but when you hit apply on your rule, you will see the error: "The array bounds are invalid." and it will NOT accept your entry. Because you've hit the limit. Which is dumb. It's 2015. Why is this happening.
We never looked it up, but heard there was a limit to the amount of IP's and CIDR addresses you could add to this list ... well, we found out last week what that number is: It's 1,000, like the big fat text above.
Hopefully, you'll come across this from a Google search and realize you NEED to move to something with much much more flexibility in your OpsSec plan for keeping out the bad guys. As I type this, we're moving to Apache mod_security with about 20 rules already and the ability to add infinite IP's if we need to. Something we should have done a long long time ago.
Wednesday, February 18, 2015
Windows 8.1 Offline Activation
Windows 8.1 is pretty slick, but if you're on NIPRnet, there is 0% chance it will activate itself over the network. Gone are the days of using the 1-800 number to call Microsoft and activate over the phone with 40 some odd digits, so if you're lucky enough to move to Windows 8.1 (Bye bye Pass-the-Hash Hacks!) here's how to activate IF you have a product key handy (Thanks, MSDN Subscription!)
1. Copy your product key to the clipboard
2. Right click on the Windows 8.1 Start Thingy and choose Run
3. Now type "slui 3" and hit Enter. This kicks off the Windows Activation Client and the option "3" tells slui to run the GUI.
1. Copy your product key to the clipboard
2. Right click on the Windows 8.1 Start Thingy and choose Run
3. Now type "slui 3" and hit Enter. This kicks off the Windows Activation Client and the option "3" tells slui to run the GUI.
4. You should see the below, where you'll paste your Win 8.1 key and hit close .. no need to wait for the spinning "I'm working on something" circle gif that will load.
5. That's it! Enjoy not being harassed every week about your activation key. YOU'RE WELCOME.
Thursday, February 12, 2015
Adobe CS6 Registration for Offline Activation and You Can Too!
So, they finally broke down and bought you Adobe CS6 eh? But you know you can't login with you're AdobeID, right? Because Adobe isn't allowed through the firewall, right? (THANKS DISA)
Well, have I got awesome news for you! Here's how to get your Adobe Photoshop/Illustrator registered and not explode in 7 days and you can too:
1. You should get the "Sign in now" page right away after starting your install and putting in your serial number for CS6. Choose sign in later if you haven't installed your CS6 yet.
2. Once you're installed, start up Illustrator and choose the "help" menu up top, then "product registration".
3. It'll bring up the "Sign in Required" page, but that's what we want. You'll see the "Having trouble connecting to the internet?" link now, click it. It should have also opened up the offline activation website at Adobe. Don't close that.
4. You'll now get the "No Internet Connection" page and the option (finally) to do an "Offline Activation". Click that button:
5. Now, you'll see the steps for an offline activation and the button to generate a request code. Click that bad boy!
6. You'll see a new screen with your request code shown (I've blurred mine out). Copy this to your clipboard and have it handy for the Adobe website to follow:
7. Now, at the website for your request code, you'll click the "Generate a Response Code" link right in the middle of that page:
8. It'll prompt you to sign in with your AdobeID next. So, do that:
9. Now, you'll paste the request code you generated and enter your serial number that you probably lost and just spent the last 4 hours looking for, or you're realizing you need that number now and are going to leave this page for tomorrow. At any rate, paste your code and enter your SN, then click "Generate Response Code".
10. If you were successful you'll see this next page showing you the response code for your offline activation. Copy the response code to your clipboard and we're almost done!
12. Now, take the response code you've just copied and paste it into the offline activation window you left open (You did leave that open, right?) and click (finally!) "Activate".
13. Finally! You're activated and CS6 won't asplode your computer! Now go have fun making all those Photoshops of your boss's head onto a donkey.
14. You're done. Get outta here. Close the window already. GAWD.
Well, have I got awesome news for you! Here's how to get your Adobe Photoshop/Illustrator registered and not explode in 7 days and you can too:
1. You should get the "Sign in now" page right away after starting your install and putting in your serial number for CS6. Choose sign in later if you haven't installed your CS6 yet.
6. You'll see a new screen with your request code shown (I've blurred mine out). Copy this to your clipboard and have it handy for the Adobe website to follow:
9. Now, you'll paste the request code you generated and enter your serial number that you probably lost and just spent the last 4 hours looking for, or you're realizing you need that number now and are going to leave this page for tomorrow. At any rate, paste your code and enter your SN, then click "Generate Response Code".
Subscribe to:
Posts (Atom)