Cannot reach web service #296
Comments
Hello @westlifezs Can you ssh onto your instance and run If that works, then check if you have firewall rules on your instance blocking inbound access externally to that port (use Lastly, please verify that your security group is ingressing the proper TCP port that you have enabled in your NGINX configuration. Please let us know if you are still having issues. Thank You |
Mike, thanks for your response. I figured out the issue eventually. I should use https rather than http. However, I came across another issue. Now I can see the web interface. I could not see anything by clicking "search". However, I have already setup the account by following the wiki instructions. is there any other approach that I can verify where is the root cause for this issue? Thanks, Su |
Hello @westlifezs When you say that you set up an account, are you referring to the creation of a username/password for you to log in as, or are you referring to an AWS account to watch and audit? Whenever you add or remove AWS accounts to audit, the scheduler must be restarted. Thank You |
I am talking about AWS account. I did restart the scheduler but I still can see nothing under the search button. is there anything I can do to diagnose this issue? thanks. |
Hello @westlifezs Can you check out the logs? Assuming you are using the sample configuration in the quickstart, the file is If it is working properly, you should see something along the lines of: |
Hi Mike, Thanks for pointing me to the log.
|
I did not find anywhere mentioned AccessKeyId in http://securitymonkey.readthedocs.org/en/latest/index.html |
Security Monkey utilizes AWS on-instance credentials that are provided automatically to your instance. The Boto API knows how to obtain them. Did you create the IAM roles and launch your instance with the Instance Profile specified in the Quickstart document? You can find out which IAM role your instance is running with by executing the command: (Please do not paste in the output from that command in here!) |
curl http://PUBLIC_IP/latest/meta-data/iam/info/ I am showing the error above. I think this is because that I am using https. thx |
I checked through web UI and it shows: IAM role SecurityMonkeyInstanceProfile Am I right? I strictly followed the instruction while setting this up. |
The Can you verify the launch configuration of your instance and check that it is launched into the |
I got the same error while running inside the box. either through sudo or not. what do you mean by launch configuration? is it "SecurityMonkeyLaunchPerms" mentioned in the documentation? if so, then it will be the same as the documentation. thx |
by the way, shall I have a bogo config file in my box? I did not find the file. also security monkey does not mention anything about bogo. I checked bogo doc and it seems like such a config is needed. Could you let me know what the bogo config looks like in a healthy box? under which directory and what's the format? I am running ubuntu 1404 LTS. thx |
Hi @westlifezs Open your AWS account console, then go to the EC2 Console. In there, select "instances" and search for the instance that is running Security Monkey. When you select the instance, there should be some information about the instance on the bottom of the page. What is listed under "IAM Role"? Boto is the AWS Python API that is used by Security Monkey to fetch information from AWS. It uses the on-instance metadata service to obtain the credentials -- you do not need to place any files on the instance with credentials. If the instance is not launched with the IAM role, then it will not be able to communicate with the on-instance metadata service and will thus fail to obtain AWS credentials to make API calls. |
Sorry I misunderstood your explanation in my previous post.
Does this look right? Thx |
as I mentioned earlier already, the IAM role is shown "SecurityMonkeyInstanceProfile" through web console. anywhere else I should look into? thx |
That looks correct. The next question is: are your roles configured properly? Did you add the |
I think so.
Anything else I can check? thx! |
That looks correct. Can you check the |
Here is it. Shall I put securitymonkey instead of "security_monkey_docker_user" in the file?
|
Can you explain your setup a bit? For example, are you running this in a Docker container? |
no. it is running on an instance. I think this is probably the root cause. thanks for helping me to identify the issue. Thanks, |
Do you have an IAM role named |
I think so. I only have one account. while clicking "roles", I can see both "SecurityMonkey" and "SecurityMonkeyInstanceProfile" in the list. does it imply SecurityMonkey role belongs to my account? Or is there another way to check it? Sorry I have not been using AWS for a long while. |
Quick question: in the output above, you have |
Another thing: the ARN for this role should be: |
I purposely hided our account_id. it should be a numeric value. |
it seems like the error triggered by the following function within /usr/local/src/security_monkey/security_monkey/common/utils.py def send_email(subject=None, recipients=[], html=""):
My question is, is there a way to turn off SES or I have to configure it? |
also may I know which way is the easiest way to restart security monkey? thanks, |
I'm interested in knowing why you are unable to fetch credentials from the instance. |
is there a way that I can test at lower level regarding fetching such credentials? curl http://169.254.169.254/latest/meta-data/iam/info/ cannot provide access key id, right? |
Hi @westlifezs : Can you open the
Do not paste the output in here, but it should get back a dict-like structure. If that raises an exception, please let me know. |
the exception is the same as we have seen in the log:
|
I only replaced "INSERT_YOUR_ACCOUNT_ID_HERE" with our account id. anything else shall I replace within the script? |
It seems that you have an issue with your setup, as the AWS SDK's are unable to fetch the on-instance credentials. Are you using an AWS provided instance image, or are you using your own? |
also is this region independent? we only have us-east1 region enabled but nothing else. |
I think I used AWS provide image. Does it look right? |
Do you have the |
I just installed. However, it still does not work after I installed. |
I booted another fresh ubuntu image The error info is the same after I run your test python script. |
which boto version is supported by security monkey? |
What happens when you: Does that print out credentials? Security Monkey uses both Boto 2 and 3. |
|
In the IAM console, open the Trust Policy for |
this is the trust policy, is it right?
|
That is a trust policy, but it is incorrect. -- That is what the trust policy should be for
That will allow the instance to get the credentials for the role. |
so my SecurityMonkey trust policy is:
and my securityMonkeyProfile trust policy is
Is this right? |
Yes, that is correct. |
cool thanks a lot. I got the credential. But the server is still hitting the error. I think I should restart the server to make this effective. Shall I install restart just scheduler or supervisor or something else? thanks |
Restart the scheduler. |
I did and it still shows the same error. |
Reboot the instance. |
it seems like the previous error has gone as there is nothing shown in the deploy log file in the last 30 minutes. However, I see another error in security_monkey.error.log and it shows: 2016/02/13 00:17:20 [error] 1170#0: *6 connect() failed (111: Connection refused) while connecting to upstream, client: 198.6.50.15, server: , request: "GET /api/1/items?accounts=&count=25&names=&page=1®ions=&technologies= HTTP/1.1", upstream: "http://127.0.0.1:5000/api/1/items?accounts=&count=25&names=&page=1®ions=&technologies=", host: "XXXXXXXX", referrer: "XXXXXXXX" Do I need to change some settings or configurations to resolve this? my security group is open. |
By the way I think it would be nice if the trust policy for securityMonkeyProfile can be added in the documentation. Newcomers need it. |
forget about the previous error. I fixed it by reconfiguring the web server. |
Glad it works! |
Hello,
I followed the instruction but I cannot reach the webservice.
I checked the security group and set it to public.
but it still says "this page is not available".
Could anyone let me know what could be the reason?
Here is part of the process list that relevant to security monkey within in box:
Thanks and look forward to hearing from you,
The text was updated successfully, but these errors were encountered: