Category Archives: Security

How to force HTTPS on Apache

HTTPS image

I recently added an SSL certificate to this website. I used Let’s Encrypt which is an awesome initiative to increase the use of HTTPS in websites by making SSL certificates free and easy to install.

My web hosting provider offers Let’s Encrypt certificates via cPanel so installing one for my website was as easy as clicking few buttons. If you are not that lucky, Let’s Encrypt provides instructions to install certificates via the shell as well as a list of hosting providers supporting Let’s Encrypt.

Once you have your SSL certificate installed on your server, you may want to force HTTPS so that any request for HTTP pages will automatically be redirected to HTTPS.

The Apache web server provides the .htaccess file to store Apache configuration on a per-directory basis. For example, if your website is stored under /var/www/html/mysite  and you’re using Apache, you can create the following .htaccess  file in that directory:

The third line is the rewrite rule that forces HTTPS for any request made to the web server. Note that you need to have the mod_rewrite module installed on Apache to add rewrite rules for URL redirection.

Gotchas

Make sure that the URL in the rewrite rule is the one used in the SSL certificate. I initially put www.sandrocirulli.net  in the rewrite rule even though I register the SSL certificate for sandrocirulli.net  and all its sub-domains (including www.sandrocirulli.net ) and got nasty security warnings displaying on the browser. You can easily check the SSL certificate with any browser by clicking on the green padlock near the URL and select View Certificate or the like:

View CertificateIf the padlock near the URL displays a warning, click on it and see what’s the problem. I initially encountered issues with mixed content. This occurred because I had links to images on the websites with HTTP instead of HTTPS. All the major browsers allow you to see where the error occurs, just click on the warning and then Details or the like. Changing these links to HTTPS solved the issue with mixed content.

CD Summit and Jenkins Days 2016

CD Summit and Jenkins Days Berlin 2016
Image by DevOps Connect ©

This week I’m giving a talk about Continuous Security with Jenkins, Docker Bench, and Amazon Inspector at CD Summit & Jenkins Days in Amsterdam and in Berlin. CD Summit & Jenkins Days are a series of conferences in the US and in Europe focusing on Continuous Integration (CI) and Continuous Delivery (CD).

This is the abstract of my talk:

Security testing is often left out from CI/CD pipelines and perceived as an ad hoc and one-off audit performed by external security experts. However, the integration of security testing into a DevOps workflow (aka DevSecOps) allows to achieve security by design and to continuously assess software vulnerabilities within a CI/CD pipeline. But how does security fit in the world of cloud and microservices?

In this talk I show how to leverage tools like Jenkins, Docker Bench , and Amazon Inspector to perform security testing at the operating system and container levels in a cloud environment and how to integrate them into a typical CI/CD workflow. I discuss how these tools can help assessing the risk of security vulnerabilities during development, improving security and compliance, and lower support costs in the long term.

I also present two demos showing how to integrate Docker Bench with Jenkins and how to run Amazon Inspector from Jenkins.

The slides of my talk are available here.

Continuous Security with Jenkins and Amazon Inspector

Amazon Inspector
Image by Amazon Web Services, Inc. ©

Amazon Inspector is an automated security assessment service on Amazon Web Services (AWS). It allows to identify security vulnerabilities at operating system and network levels by scanning the host against a knowledge base of security best practices and rules.

I recently integrated Amazon Inspector to run in a Jenkins job so that security testing can be automated and performed prior to deployment to production.

AWS Configuration

The first thing to do is to set up the assessment target and assessment template in Amazon Inspector. An assessment target allows to select the EC2 instances via their tags in order to include them in the security scan. Here is an example of my assessment target for the EC2 instances tagged as gadictionaries-leap-ogl-stage-v360 :

Assessment TargetThe assessment template allows to specify the type of scan and its duration and is linked to the assessment target set up above. Here is an example of my assessment template (ARN is masked for security reasons). I selected the Common Vulnerabilities and Exposures (CVE) rule package scanning for 15 minutes (one hour is the recommended duration time to reliable results).

Assessment Template

Jenkins Configuration

We now move to the Jenkins configuration in order to run the security scan via a Jenkins job instead of using the AWS console.

The first thing to do is to make sure that openssh is installed on the instance where Jenkins is running and on the host you want to check. For example, on Ubuntu you can install openssh with:

Then install the SSH Agent plugin in Jenkins. This will provide Jenkins with SSH credentials to automatically login into a machine on the cloud. Add the credentials in Jenkins -> Credentials -> System -> Global credentials (unrestricted) -> Add credentials -> SSH Username with private key. This is an example of my credentials for user jenkins (private key details are obfuscated):

set up mock SSH credentialsThen create a Jenkins job and select the SSH agent credentials for user jenkins in Build Environment:

SSH agent credentialsThis will allow Jenkins to ssh into the machine with the private key stored securely (make sure you only grant permission to configure Jenkins to administrators otherwise your private keys are not safe).

I like to parameterize my builds so that I can run Amazon Inspector on a specific EC2 instance within a given Elastic Beanstalk stack:

Parameters

Then we set up build and post-build actions. The build executes a shell script invoke_aws_inspector.sh pulled from the version control system. The post-build action provides the location of the JUnit file.

The shell script invoke_aws_inspector.sh looks like this:

The shell script works as follows:

  • line 4 allows Jenkins to ssh into a host (I’m using AWS EC2 as you can guess by the username ec2-user, replace it with your default username but do not user root). Note that the environment variable $HOSTNAME is passed from the parameter we set up earlier. The EOF allows to run a sequence of commands directly on the host so that you don’t have to disconnect every time. The single quotes are important, don’t skip them!
  • lines 5-8 install and start the Amazon Inspector agent on the host
  • lines 12-13 configure and set up a Python script  execute_aws_inspector.py  for running Amazon Inspector (we’ll see it in a minute)
  • lines 16-18 remove the Amazon Inspector agent so that no trace is left on the host
  • the final EOF disconnect Jenkins from host

The Python script execute_aws_inspector.py uses the Boto3 library for interacting with AWS services. The script looks like this:

The Python script works as follows:

  • lines 10-17 read the environment variable set in the parameterized build and select the correct template (I set up two different template for two different stacks, the ARNs are obfuscated for security reasons)
  • lines 20-26 run the assessment template and waits a bit longer than 15 minutes so that the scan can finish
  • lines 29-39 filters findings with severities High and Medium
  • lines 42-58 serialize the findings into a JUnit report so that they can be automatically read by Jenkins

Finally, here is an example of Test Result Trend and JUnit test results showing security vulnerabilities on an EC2 instance running unpatched packages:

JUnit Report

Happy security testing with Jenkins and Amazon Inspector!

Continuous Security with Jenkins and Docker Bench

Docker Bench
Image by Docker Inc. ©

Docker Bench is an open source tool for automatically validating the configuration of a host running Docker containers. The tool has been written among others by Diogo Mónica, security lead at Docker, and performs security checks at the container level following Docker’s CIS Benchmark recommendations.

As you would expect, the easiest way to run Docker Bench is via a Docker container. Just make sure you have Docker 1.10 or better, download the Docker image:

and run the Docker container as follows:

This will automatically generate some output as in the animated gif above with an assessment of possible Docker security issues.

I recently combined Docker Bench with Jenkins in order to integrate security testing into a typical DevOps workflow on the cloud – call it DevSecOps if you like buzzwords… This requires a little bit of Jenkins configuration but it’s not too difficult to follow.

The first thing to do is to make sure that openssh is installed on the instance where Jenkins is running and on the host you want to check. For example on Ubuntu you can install openssh with:

Then install the SSH Agent plugin in Jenkins. This will provide Jenkins with SSH credentials to automatically login into a machine on the cloud. Add the credentials in Jenkins -> Credentials -> System -> Global credentials (unrestricted) -> Add credentials -> SSH Username with private key.  This is an example of my credentials for user jenkins (private key details are obfuscated):

set up mock SSH credentialsThen create a Jenkins job and select the SSH agent credentials for user jenkins in Build Environment:

SSH agent credentialsThis will allow Jenkins to SSH into the machine with the private key stored securely (make sure you only grant permission to configure Jenkins to administrators otherwise your private keys are not safe).

I like to parameterize my builds so that I can run Docker Bench on any host reachable with the private key:

parameterize build with hostnameFinally, select Execute shell in the build and paste this shell script (you may want to put it under version control and retrieve it from there via Jenkins):

It works likes this:

  • the first command allows Jenkins to ssh into a host (I’m using AWS EC2 as you can guess by the username ec2-user, replace it with your default username but do not user root). Note that the environment variable $HOSTNAME is passed from the parameter we set up earlier. The EOF allows to run a sequence of commands directly on the host so that you don’t have to disconnect every time. The single quotes are important, don’t skip them!
  • the second command pulls the Docker image for Docker Bench directly on the host
  • the third command runs Docker Bench on the host
  • the forth command removes all exited containers from the host, including Docker Bench once it has finished its job
  • the fifth command remove the Docker image for Docker Bench so that you don’t leave any trace on the host
  • the final EOF disconnect Jenkins from host

The Jenkins console output shows the result of running Docker Bench on a specific host. Now you have to assess the results as you may see several warnings and they may just be false positives. For example, this warning may be acceptable for you:

This means you are not running the latest version of Docker. This may not be an issue (unless Docker released a security release) especially if your Linux distribution hasn’t got the latest version of Docker available in its repositories.

In my case this warning was a false positive:

In fact, I need several containers to communicate between them so that restriction does not apply to my use case.

This warning should be taken much more seriously:

This means you are running a container as root. This is unsecure as if a nasty intruder manages to get inside the containers s/he can run any command in it. Basically, it’s like running a Linux system as root which is a bad security practice.

Once you have assessed your warnings, you may want to filter out the false positives. For example, you can use the Post build task plugin to make the build fail if the build log output contains a warning that you assessed as a security risk. You can use a regular expression to match the pattern identified above.

It would be good to get the Docker Bench output in JUnit format so that Jenkins can understand it natively but this option is currently not implemented in Docker Bench.

Happy security testing with Jenkins and Docker Bench!

My blacklist of IP addresses

blacklist
Image by LaNotizia licensed under Creative Commons Attribution 2.0 Generic Licence

I monitor few websites for friends and had to configure security modules in order to prevent brute force attacks and breaches in the admin interface of the website. For CMS like WordPress and Drupal there are some good security modules like iThemesSecurity, Security Review and Login Security. These modules improve the security of a website by limiting the number of failed login attempts and blocking the suspicious IP address.

Over time I collected a list of  backlisted IP addresses which  I share here. One thing I learnt is that attacks can come from anywhere. I believe that some of these IP addresses belong to a botnet of compromised computers as I could trace their coordinates to some very well-known locations in the world.

Here below is the table of blacklisted IP addresses. The same list is in this CSV file. The data is courtesy of MaxMind and the list was last updated on 16th April 2016.

IP Address Country Code Location Postal Code Coordinates ISP Domain
46.20.12.30 TR Bursa,
Bursa,
Turkey,
Asia
16245 40.2719,
29.0983
Dgn Teknoloji Bilisim Yayincilik Sanayi Ve Limited ttnetdc.com
203.130.196.150 ID Jakarta,
Daerah Khusus Ibukota Jakarta,
Indonesia,
Asia
-6.1744,
106.8294
Pt Telekomunikasi Indonesia
109.195.228.208 RU Rostov-on-Don,
Rostov,
Russia,
Europe
344000 47.2364,
39.7139
JSC ER-Telecom Holding ertelecom.ru
66.91.141.42 US Honolulu,
Hawaii,
United States,
North America
96805 21.3069,
-157.8583
Time Warner Cable rr.com
185.53.78.144 UA Ukraine,
Europe
50.45,
30.5233
LLC Gigatel rv.ua
91.200.12.11 UA Ukraine,
Europe
50.45,
30.5233
PP SKS-Lugan
37.59.56.6 FR France,
Europe
48.86,
2.35
OVH SAS ovh.net
37.252.102.136 ES Basque Country,
Spain,
Europe
43.2609,
-2.9388
Xtudio Networks S.l.u
207.244.68.152 US Manassas,
Virginia,
United States,
North America
20109 38.7932,
-77.5366
Leaseweb USA
67.43.10.129 US Lansing,
Michigan,
United States,
North America
48917 42.7257,
-84.636
Liquid Web
193.201.224.40 UA Serhiyi,
Chernivtsi,
Ukraine,
Europe
47.9752,
25.1286
PE Tetyana Mysyk
86.123.247.64 RO Lugoj,
Judetul Timis,
Romania,
Europe
305500 45.6886,
21.9031
RCS & RDS
174.136.57.228 US St Louis,
Missouri,
United States,
North America
63131 38.6143,
-90.4444
Colo4, LLC
95.140.36.2 HU Budapest,
Budapest fovaros,
Hungary,
Europe
1012 47.5,
19.0833
Szervernet szervernet.hu
217.9.126.231 DE Germany,
Europe
51,
9
Versatel Deutschland
162.144.66.10 US Provo,
Utah,
United States,
North America
84606 40.2181,
-111.6133
Unified Layer unifiedlayer.com
52.90.51.76 US Ashburn,
Virginia,
United States,
North America
20147 39.0335,
-77.4838
Amazon Technologies
88.120.254.31 RU Russia,
Europe
55.75,
37.6166
JSC ISPsystem
166.63.124.122 US Columbus,
Ohio,
United States,
North America
43228 39.9649,
-83.1383
Ecommerce Corporation cloudix.com
71.43.100.242 US Orlando,
Florida,
United States,
North America
32810 28.6185,
-81.4336
Time Warner Cable rr.com
213.163.66.101 NL Netherlands,
Europe
52.3667,
4.9
i3d B.V. i3d.net
82.76.87.154 RO Lugoj,
Judetul Timis,
Romania,
Europe
305500 45.6886,
21.9031
RCS & RDS rdsnet.ro
80.13.94.242 FR France,
Europe
48.86,
2.35
Orange wanadoo.fr
149.255.37.187 NL Netherlands,
Europe
52.3667,
4.9
Swiftway Sp. z o.o. swiftway.net
173.254.61.236 US Provo,
Utah,
United States,
North America
84606 40.2181,
-111.6133
Unified Layer unifiedlayer.com
72.55.186.26 CA Montreal,
Quebec,
Canada,
North America
H3G 45.4987,
-73.5793
iWeb Technologies panelboxmanager.com
192.185.82.205 US Houston,
Texas,
United States,
North America
77092 29.8301,
-95.4739
Websitewelcome.com websitewelcome.com
194.28.172.219 UA Ukraine,
Europe
50.45,
30.5233
ON-LINE besthosting.ua
62.219.197.147 IL Nazareth,
Northern District,
Israel,
Asia
32.7036,
35.2956
Bezeq International bezeqint.net
6.20.160.53 FR Gueret,
Creuse,
Limousin,
France,
Europe
23000 46.2667,
1.8667
Adista SAS
198.57.247.139 US Provo,
Utah,
United States,
North America
84606 40.2181,
-111.6133
Unified Layer unifiedlayer.com
74.220.207.109 US Provo,
Utah,
United States,
North America
84606 40.2181,
-111.6133
Unified Layer hostmonster.com
46.216.4.146 BY Minsk,
Minsk,
Belarus,
Europe
53.9,
27.5667
Mobile TeleSystems JLLC
184.68.101.154 CA Calgary,
Alberta,
Canada,
North America
T3R 51.2021,
-114.2453
Shaw Communications
103.30.12.10 IN India,
Asia
20,
77
Surendra Informatics
79.116.28.250 RO Lugoj,
Judetul Timis,
Romania,
Europe
305500 45.6886,
21.9031
RCS & RDS rdsnet.ro
188.65.115.90 GB United Kingdom,
Europe
51.5,
-0.13
UK Webhosting
92.85.171.200 RO Timişoara,
Judetul Timis,
Romania,
Europe
45.7494,
21.2272
Telekom Romania Communication S.A
148.251.0.166 DE Germany,
Europe
51,
9
Hetzner Online GmbH r-99.com
23.101.213.136 AU Sydney,
New South Wales,
Australia,
Oceania
1001 -33.8678,
151.2073
Microsoft Corporation, Microsoft Azure
5.101.138.91 GB Rugby,
Warwickshire,
England,
United Kingdom,
Europe
CV21 52.3913,
-1.2866
UK Dedicated Servers Limited ukservers.com
61.25.200.204 JP Japan,
Asia
35.69,
139.69
@Home Network Japan home.ne.jp
71.165.35.215 US Baldwin Park,
California,
United States,
North America
91706 34.0964,
-117.9668
Verizon Internet Services verizon.net
87.106.129.221 DE Germany,
Europe
51,
9
1&1 Internet AG
193.111.140.181 DE Dusseldorf,
North Rhine-Westphalia,
Germany,
Europe
40472 51.2686,
6.81
myLoc managed IT AG fastwebserver.de
193.111.140.181 DE Dusseldorf,
North Rhine-Westphalia,
Germany,
Europe
40472 51.2686,
6.81
myLoc managed IT AG fastwebserver.de
24.38.19.220 US Denville,
New Jersey,
United States,
North America
7834 40.8841,
-74.4863
Optimum Online, Denville Township School lightpath.net
64.235.39.67 US Las Vegas,
Nevada,
United States,
North America
89141 35.9781,
-115.2117
Las Vegas NV Datacenter lasvegas-nv-datacenter.com
175.137.252.141 MY Kuala Lumpur,
Kuala Lumpur,
Malaysia,
Asia
52200 3.1553,
101.6668
Telekom Malaysia TM Net

How to install and update KeePass

KeePass
Image Loki 66 – GPL

KeePass is one of my favourite software. It is a password manager which allows to store secure passwords and forget about them. All you need to do is to remember one single (strong) password to open the software and that’s it. Considering the amount of passwords one has to remember these days, there is a bad tendency to use weak memorable passwords – or even worse always the same password! KeePass is good choice since it is cross-platform, uses strong encryption algorithms, and can store data offline.

I’m currently using KeePass2 (update: I now use KeePassX) However, I noticed that if you install KeePass via the Ubuntu Software Center you won’t necessarily install the latest version and you won’t get the latest updates automatically. So here is the procedure to overcome this problem.

First, add the KeePass repository. For example, in Ubuntu:

where precise is the codename of the Ubuntu version (here 12.04 Precise Pangolin). If you don’t know the codename of the Linux version find it out with:

Then update the repository directory and install KeePass2:

Finally, open KeePass, click on on Help -> Check for updates and KeePass2 will update to the latest stable version. From now on, Ubuntu will update it automatically.

Update: I’m now using KeePassX which is a native port of KeePass for Linux and Mac OS.