Skip navigation

Secure Shell

warning: Creating default object from empty value in /var/www/vhosts/ on line 33.
Original author: 

Moving from physical servers to the "cloud" involves a paradigm shift in thinking. Generally in a physical environment you care about each invididual host; they each have their own static IP, you probably monitor them individually, and if one goes down you have to get it back up ASAP. You might think you can just move this infrastructure to AWS and start getting the benefits of the "cloud" straight away. Unfortunately, it's not quite that easy (believe me, I tried). You need think differently when it comes to AWS, and it's not always obvious what needs to be done.

So, inspired by Sehrope Sarkuni's recent post, here's a collection of AWS tips I wish someone had told me when I was starting out. These are based on things I've learned deploying various applications on AWS both personally and for my day job. Some are just "gotcha"'s to watch out for (and that I fell victim to), some are things I've heard from other people that I ended up implementing and finding useful, but mostly they're just things I've learned the hard way.

Your rating: None

Sparrowvsrevolution writes "At the Fast Software Encryption conference in Singapore earlier this week, University of Illinois at Chicago Professor Dan Bernstein presented a method for breaking TLS and SSL web encryption when it's combined with the popular stream cipher RC4 invented by Ron Rivest in 1987. Bernstein demonstrated that when the same message is encrypted enough times--about a billion--comparing the ciphertext can allow the message to be deciphered. While that sounds impractical, Bernstein argued it can be achieved with a compromised website, a malicious ad or a hijacked router." RC4 may be long in the tooth, but it remains very widely used.

Share on Google+

Read more of this story at Slashdot.

Your rating: None

An anonymous reader writes "It is no secret that SSH binaries can be backdoored. It is nonetheless interesting to see analysis of real cases where a trojanized version of the daemon are found in the wild. In this case, the binary not only lets the attacker log onto the server if he has a hardcoded password, the attacker is also granted access if he/she has the right SSH key. The backdoor also logs all username and passwords to exfiltrate them to a server hosted in Iceland."

Share on Google+

Read more of this story at Slashdot.

Your rating: None

Much has already been said about Continuous Deployment. Etsy made it famous once and we integrated our own solution about two weeks ago.

The reason why I integrated it into our system was quite simple: the only person who could perform a deploy was me. This was hindering the rest of the team of course.

Our architecture allowed “hot” deployments already. That means users who were already using the Audiotool application did not notice a deploy happened at all. This is of course only possible as long as there are no new dependencies on the API.

The Audiotool startup process is a very important ingridient. We have a boot sequence which loads a configuration file upfront. In this configuration file is a version number. The version number is used to load all dependencies the application needs to start. We have put a repository server in place which serves SWF files based on this version and they get cached till the end of time.

If a user started Audiotool when version 1.1 was online and we update to 1.2 in the meantime the user would still load all audio plugins for version 1.1. There are some cases when a hot deployment is not possible (yet) and we call this a scheduled update.
This pushes a message into Audiotool, notifying users that they should save their song and restart the application. But this is not part of the blog post and a scheduled update is very rare. We did it twice last year, once this year.

When we did a deploy it was basically done like this:

  1. Make sure all changes are checked in.
  2. Update a default version key in some source files in case the boot sequence cannot load the configuration for whatever reason.
  3. Update the Nginx configuration so that some verison-less files like our embed player are routed correct.
  4. Create a tag for the repository.
  5. Create a clone of the tag.
  6. Execute mvn -Pdeploy-to-live deploy in the clone. This command already updates all plug-ins on and puts new metadata in place.
  7. Copy all SWF files form a local directory to S3.
  8. SSH into a server and update the configuration file Audiotool parses at startup.
  9. Reload the Nginx configuration.

A lot of steps. This means a lot can go wrong of course. And even though we had all those steps written down in an internal Wiki it is still hard to do all this. You need the appropriate SSH keys to log into some servers, uploading files to S3 requires a tool which is also configured and not everyone is comfortable with editing a Nginx configuration file on an Amazon server through the terminal.

There was only one deployment that happened without me. I was at FITC Amsterdam in 2010 at that time and it was a long phone call. Obviously something had to change.

The first step was to get rid of all the manual configuration hassle. The configuration file that one needed to change via SSH had to go so I made it a dynamically created file by the web server. The actual version is pulled from the database and this made our my life much easier already. But still this was not what I wanted. Of course nothing really changed. You still had to perform the S3 upload, SSH into a server and so on.

But since the configuration was already served via the web server I could start automating more things. Even better: with our last major update we dropped the version number from Audiotool. User’s would stop expecting to see big changes and a version number that increases. Instead we focus on being much more active and to push changes online as quick as possible.

Since I already wrote some shell scripts for myself to deploy various server applications with a single command I started doing the same for the whole Audiotool application.

The first step was to get rid of the default version in some of the ActionScript source files. I simply [Embed] a text file now which contains the version information. A single text file is so much easier to change.

Then I added an API call which allows me to change the version information online. That way a new version can be released easily without any human interaction. With the API call in place and a text file containing all important configuration parameters the last issue was the Nginx configuration. But a small script on the server should do the job.

So I started writing a little script which performs all the necessary tasks:

  1. Create a clone of the repository.
  2. Get the id of the current revision.
  3. Create a tag for the revision like YYYY-MM-DD_REVISION.
  4. Replace the default version with the revision.
  5. Execute the Maven command to deploy some metadata and build all SWF files.
  6. Upload all SWF files to S3.
  7. curl our API with the revision information.
  8. SSH into a server at Amazon to update Nginx.
  9. Cleanup.

That’s all there was to it. Since I do not have that much experience with shell scripting the most annoying part was to figure out a way to replace the text in a file. After looking through all examples of possible/impossible sed and awk options I got lucky with sed -i "/@build.version@/ s//${HG_VERSION}/g" ${HG_CLONE}/default.version.txt. This basically replaces @build.version@ with the content of ${HG_VERSION}. I know, magic. I just want to write it down here so Future-Joa can Google this and come back in five years getting a quick answer.

With the shell script at our disposal we simply had to hook it into TeamCity, a fantastic continuous integration solution by the way. After configuring some command line tools on the CI server we were ready to go.

The results speak for themselves. We made already twenty deployments during the last two weeks. That is about as many deployments as we did since we started Audiotool. Because deployments become less scary and everyone can trigger them we are able to iterate quicker and get rid of a lots of bugs. In fact it makes it also much easier to reason about your program. If you push hundreds of new features and get a null pointer exception: good luck. However if you just changed one little thing and get loads of bug reports it is quite easy to identify what could be the possible culprit. Of course this is only a Flash problem since there are no stack traces in the release player. But I guess if you build a JavaScript application you would have similar problems.

I can only recommend doing the same. Especially for your own sanity. 100% automated deployments are really cool and stress free! It is also much easier to setup than you might expect.

Your rating: None

An anonymous reader writes "In response to a plans to introduce real time monitoring of all UK Internet communications, a petition has been set up in opposition."

Previously covered here, El Reg chimes in with a bit of conspiracy theorizing and further analysis: "It would appear that the story is being managed: the government is looking to make sure that CCDP is an old news story well ahead of the Queen's Speech to Parliament on 9 May. Sundays — especially Sunday April the 1st — are good days to have potentially unpopular news reach the population at large."

Share on Google+

Read more of this story at Slashdot.

Your rating: None

jfruh writes "If you have to administer a *nix computer remotely, you hopefully ditched Telnet for SSH years ago. But you might not know that this tool does a lot more than offer you a secured command line. Here are some tips and tricks that'll help you do everything from detect man-in-the-middle attacks (how are you supposed to know if you should accept a new hosts public key, anyway?) to evading restrictions on Web surfing."
What are your own favorite tricks for using SSH?

Share on Google+

Read more of this story at Slashdot.

Your rating: None

If you’ve ever needed to connect to a remote server without installing any desktop software or doing anything other than opening a new browser window, then you need to check out Gate One. Gate One is a web-based terminal emulator and SSH client that will work in any modern web browser.

The brainchild of developer Dan McDougall, Gate One is the result of nine months of coding. While Gate One may not be the first project to put a terminal emulator in your browser — existing options include Shell in a Box and Ajaxterm among others — it has quite a few features that go well beyond the basics found in other emulators. For example, Gate One uses WebSockets rather than traditional polling so it’s able to keep SSH connections open without spiking your CPU and grinding the browser to a standstill. Gate One also has the ability to resume sessions after being disconnected.

Throw in multiple simultaneous terminal sessions, a way to save SSH bookmarks, a plugin architecture and the ability to play back, save and share terminal sessions and you’ve got a pretty respectable replacement for Putty and its ilk. Not that Gate One is intended to replace a desktop SSH client, but for situations where you can’t run a desktop app Gate One just might be the emulator you’ve been looking for.

The front end of Gate One is written entirely in HTML5 and JavaScript, which means it will work in any modern browser. Behind the scenes Gate One uses HTML5 WebSockets to connect to a Python-based SSH server.

Gate One is available from GitHub and is dual-licensed under either the AGPLv3 or a proprietary license.

See Also:

Your rating: None