Tuesday, April 12, 2016

Export a Linux virtual machine from VMWare EXSI server and Import to AWS



We can export our EXSI virtual machine images to aws and create the exact same machine as your are running on your EXSI machine.

For this process we need to do the following steps.

1. Download and install AWS CLI
2. Configure the access key with your aws console (IAM access)
3. Export the virtual machine from EXSI machine to your local machine as ova formate
4. Import the OVA image file to your aws S3 bucket


Setup AWS CLI

Download the AWS CLI here:
https://s3.amazonaws.com/aws-cli/AWSCLI64.msi
After that complete the installation.

[root@ip-172-31-56-125 ec2-user]# aws configure
AWS Access Key ID [None]: AKIAXXXXXXXWHTA
AWS Secret Access Key [None]: svcngBGXXXnijOWPLDXXXXXXXHaqs
Default region name [None]: us-east-1
Default output format [None]:
[root@ip-172-31-56-125 ec2-user]#


After the configuration we can test and confirm everything seems to be working fine.

[root@ip-172-31-56-125 ec2-user]# aws ec2 create-security-group --group-name AJVMGRP --description "testing vmtestimptest"
{
    "GroupId": "sg-2a250452"
}
[root@ip-172-31-56-125 ec2-user]#

So we have successfully configured the AWS CLI on this machine


[root@ip-172-31-56-125 ec2-user]# aws ec2 import-image --cli-input-json "{ \"Description\": \"Kalilinux-2016\", \"DiskContainers\": [ {\"Description\": \"Kalilinux-2016\", \"UserBucket\": { \"S3Bucket\": \"vmimportajeesh\", \"S3Key\" : \"CentOS-6.4-i386-minimal.ova\" } } ]}"

{
    "Status": "active",
    "Description": "Kalilinux-2016",
    "Progress": "2",
    "SnapshotDetails": [
        {
            "UserBucket": {
                "S3Bucket": "vmimportajeesh",
                "S3Key": "CentOS-6.4-i386-minimal.ova"
            },
            "DiskImageSize": 0.0
        }
    ],
    "StatusMessage": "pending",
    "ImportTaskId": "import-ami-fggrwl9r"
}
[root@ip-172-31-56-125 ec2-user]#

On Our EXSI Box
We need to create a vm. The VM should be capable of accepting DHCP assign IP address and remove vmware-tool if we installed any.

Export VM in OVA format

File > Export > Export OVF Template [Single format]

 Create a S3 bucket

 Create a S3 bucket and make note the ARN

Import the OVA file to S3 Bucket
You can upload the particular OVA file to your S3 bucket

We need to change the service name to vmie.amazoneaws.com(Trust Relationship) and add the following condition

Create a new role[eg: vmimport] and assign administrative privilege
 {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "vmie.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "vmimport"
}
}
}
]
}
 


Import the OVA to AWS


[root@ip-172-31-56-125 ec2-user]# aws ec2 import-image --cli-input-json "{ \"Description\": \"Kalilinux-2016\", \"DiskContainers\": [ {\"Description\": \"Kalilinux-2016\", \"UserBucket\": { \"S3Bucket\": \"vmimportajeesh\", \"S3Key\" : \"CentOS-6.4-i386-minimal.ova\" } } ]}"
-----
{
    "Status": "active",
    "Description": "Kalilinux-2016",
    "Progress": "2",
    "SnapshotDetails": [
        {
            "UserBucket": {
                "S3Bucket": "vmimportajeesh",
                "S3Key": "CentOS-6.4-i386-minimal.ova"
            },
            "DiskImageSize": 0.0
        }
    ],
    "StatusMessage": "pending",
    "ImportTaskId": "import-ami-fggrwl9r"
}
---

We will get a image ID [ import-ami-fggrwl9r ]

to check the status::
aws ec2 describe-import-image-tasks --image-task-ids “import-ami-fggrwl9r”


[root@ip-172-31-56-125 ec2-user]# aws ec2 describe-import-image-tasks --import-task-ids "import-ami-fggrwl9r"
{
    "ImportImageTasks": [
        {
            "Status": "active",
            "Description": "Kalilinux-2016",
            "Progress": "28",
            "SnapshotDetails": [
                {
                    "UserBucket": {
                        "S3Bucket": "vmimportajeesh",
                        "S3Key": "CentOS-6.4-i386-minimal.ova"
                    },
                    "DiskImageSize": 346110976.0,
                    "Format": "VMDK"
                }
            ],
            "StatusMessage": "converting",
            "ImportTaskId": "import-ami-fggrwl9r"
        }
    ]
}
[root@ip-172-31-56-125 ec2-user]#


then this will change to

   "StatusMessage": "updating",
   "ImportTaskId": "import-ami-fggrwl9r"

   "StatusMessage": "booting",
   "ImportTaskId": "import-ami-fggrwl9r"

  "StatusMessage": "preparing ami",
  "ImportTaskId": "import-ami-fggrwl9r"

[root@ip-172-31-56-125 ec2-user]# aws ec2 describe-import-image-tasks --import-task-ids "import-ami-fggrwl9r"
{
    "ImportImageTasks": [
        {
            "Status": "completed",
            "LicenseType": "BYOL",
            "Description": "Kalilinux-2016",
            "ImageId": "ami-4e6e7924",
            "Platform": "Linux",
            "Architecture": "x86_64",
            "SnapshotDetails": [
                {
                    "UserBucket": {
                        "S3Bucket": "vmimportajeesh",
                        "S3Key": "CentOS-6.4-i386-minimal.ova"
                    },
                    "SnapshotId": "snap-649ee37d",
                    "DiskImageSize": 346110976.0,
                    "DeviceName": "/dev/sda1",
                    "Format": "VMDK"
                }
            ],
            "ImportTaskId": "import-ami-fggrwl9r"
        }
    ]
}
Finally this image is available on your AWS console. Using this you can launch a new vps.

Wednesday, March 23, 2016

Setting monit on your Ubuntu

Monit will watch around the clock in your server and can do the following capabilities :

* Monitoring the running server and have the ability to stop , start and restart
* Send email alerts
* Have the ability to monitor the service depends on the cpu,RAM disk, cut-off values


Install::
/home/ubuntu# apt-get install monit
:/etc/monit/conf.d# /etc/init.d/monit restart
 * Restarting daemon monitor monit     

/etc/monit/conf.d# service monit status
 * monit is running


Monit configuration file :: /etc/monit/monitrc

/etc/monit/conf.d# monit status
monit: error connecting to the monit daemon
You will found this error

Actually Monit has an embedded web server which can be used to view status of
services monitored and manage services from a web interface. So we need to enable apache interface in monit configuration file in order to fix this error.

open /etc/monit/monitrc and add the following lines under enable web server.

set httpd port 2812 and
use address localhost
allow localhost
allow admin:monit

/etc/monit/conf.d# /etc/init.d/monit restart
 * Restarting daemon monitor monit

/etc/monit/conf.d# netstat -lpn | grep 2812
tcp        0      0 127.0.0.1:2812          0.0.0.0:*               LISTEN      418/monit


root@ip-172-31-56-245:/etc/monit/conf.d# monit summary
The Monit daemon 5.6 uptime: 0m

Process 'mysqld'                    Running
System 'ip-172-31-56-245.ec2.internal' Running

Check out if mysql service is down on the server.

 /etc/monit/conf.d# service mysql status
mysql stop/waiting

root@ip-172-31-56-245:/etc/monit/conf.d# monit summary
The Monit daemon 5.6 uptime: 1m

Process 'mysqld'                    Does not exist
System 'ip-172-31-56-245.ec2.internal' Running

After 5 minute monit will automatically restart mysql service.

root@ip-172-31-56-245:/etc/monit/conf.d# monit summary
The Monit daemon 5.6 uptime: 5m

Process 'mysqld'                    Running
System 'ip-172-31-56-245.ec2.internal' Running

Wednesday, March 2, 2016

DROWN - Decrypting RSA using Obsolete and Weakened eNcryption


Here I am describing DROWN vulnerability along with affected Operating systems and steps for identification and remediation:
 
DROWN is a serious vulnerability that affects HTTPS and other services that rely on SSL and TLS, some of the essential cryptographic protocols for Internet security. DROWN allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data. 


Most of the web sites are now vulnerable to DROWN including yahoo , icicibank , snapdeal etc

CVE-2016-0800 , known as DROWN


Vulnerable in:
- SSLv2 (Secure Sockets Layer protocol version 2.0)
- TLS (Transport Layer Security) version (1.0 - 1.2)
- Services which do not use SSLv2 , but share their RSA keys with those services which have SSLv2 support, are also vulnerable.


CVE-2016-0703 : which affected OpenSSL versions prior to 1.0.2a, 1.0.1m, 1.0.0r, and 0.9.8z
CVE-2016-0704 : This issue affected OpenSSL versions 1.0.2, 1.0.1l, 1.0.0q, 0.9.8ze and all
earlier versions.


The following OS versions are now effected to DROWN [ RHEL and CentOS)
Red Hat Enterprise Linux 4*
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7


Obuntu 14 and AWS OS are not affected with DOWN vulnerability.


How to check our server is infected or not:
RedHat is providing a script for this: Download the bash script from here :   https://access.redhat.com/labs/drown/DROWN-test.sh

Or via a website  https://test.drownattack.com

#wget https://access.redhat.com/labs/drown/DROWN-test.sh
#chmod 755 DROWN-test.sh
# ./DROWN-test.sh

WARNING: The installed version of openssl (openssl-1.0.1e-30.el6_6.5) is vulnerable to both general and special DROWN attack and should be upgraded!
See https://access.redhat.com/security/vulnerabilities/drown for more information.

The installed version of openssl-libs (package openssl-libs is not installed) is not vulnerable to DROWN.


===========================
]# yum info openssl
Installed Packages
Name        : openssl
Arch        : x86_64
Version     : 1.0.1e
Release     : 30.el6_6.5
Size        : 4.0 M
Repo        : installed


Available Packages
Name        : openssl
Arch        : x86_64
Version     : 1.0.1e
Release     : 42.el6_7.4
================================================


Red Hat patched OpenSSL lists:

Red Hat Enterprise Linux 4      openssl-0.9.7a-43.23.el4        RHSA-2016:0306
Red Hat Enterprise Linux 5      openssl-0.9.8e-39.el5_11        RHSA-2016:0302
Red Hat Enterprise Linux 5.6   openssl-0.9.8e-12.el5_6.13      RHSA-2016:0304
Red Hat Enterprise Linux 5.9   openssl-0.9.8e-26.el5_9.5       RHSA-2016:0304
Red Hat Enterprise Linux 6      openssl-1.0.1e-42.el6_7.4       RHSA-2016:0301
Red Hat Enterprise Linux 6.2   openssl-1.0.0-20.el6_2.8        RHSA-2016:0303
Red Hat Enterprise Linux 6.4   openssl-1.0.0-27.el6_4.5        RHSA-2016:0303
Red Hat Enterprise Linux 6.5   openssl-1.0.1e-16.el6_5.16      RHSA-2016:0303
Red Hat Enterprise Linux 6.6   openssl-1.0.1e-30.el6_6.12      RHSA-2016:0305
Red Hat Enterprise Linux 7      openssl-1.0.1e-51.el7_2.4       RHSA-2016:0301
Red Hat Enterprise Linux 7.1   openssl-1.0.1e-42.el7_1.10, openssl-1.0.1e-42.ael7b_1.10        RHSA-2016:0305
Red Hat JBoss Web Server 2      openssl Patch Pending
Red Hat JBoss Web Server 3      openssl Patch Pending
Red Hat JBoss Enterprise Application Platform 6 openssl Patch Pending



==================================================


Follow the steps below to disable SSLv2 in aws:

- Select your load balancer (EC2 > Load Balancers).
- In the Listeners tab, click "Change" in the Cipher column.
- Ensure that the radio button for "Predefined Security Policy" is selected
- In the dropdown, select the "ELBSecurityPolicy-2015-05" policy.
- Click "Save" to apply the settings to the listener.
- Repeat these steps for each listener that is using HTTPS or SSL for each load balancer.


Fixing the DROWN on your Centos rpm based server.


1. Upgrade openssl
yum update openssl
2. Check for CVE information after openssl upgrade
rpm -qa openssl --changelog | grep CVE-2016-0800

OR

You can once again run the DROWN scripts from RedHat

 

A patched system will show

 [/usr/local/src]# ./DROWN-test.sh
The installed version of openssl (openssl-1.0.1e-42.el6_7.4.x86_64) is not known to be vulnerable to DROWN.