Deploying web applications to a publicly accessible server and secure the application
Take a baseline installation of a Linux distribution on a virtual machine and prepare it to host your web applications, to include installing updates, securing it from a number of attack vectors and installing/configuring web and database servers.
IP address: http://52.34.247.81/
Port: 2200
URL:http://ec2-52-34-247-81.us-west-2.compute.amazonaws.com/
Username: grader
-
Download Private Key
-
Move the private key file into the folder ~/.ssh
$ mv ~/Downloads/udacity_key.rsa ~/.ssh/ -
Change the permissions of the key, only for the owner read and write
$ chmod 600 ~/.ssh/udacity_key.rsa -
Log in the Development Environment
$ ssh -i ~/.ssh/udacity_key.rsa root@52.34.247.81
-
Create a new user name grader
$ adduser grader -
Grant grader the permission to sudo
In the /etc/sudoers.d create a new file called grader
$ nano /etc/sudoers.d/graderIn the file put in:
grader ALL=(ALL) NOPASSWD:ALLSave and qiut. -
Create a ssh key for grader to log in In your own computer terminal, generate key pairs locally
$ ssh-keygenInput the key name and passphrase.
See the content in the public key$ cat ~/.ssh/keyname.pubCopy all the content.
In the Develop Environment, change to the user grader Make a directory called .ssh
$ mkdir ~/.sshCreate a new file called authorized_keys and edit it
$ nano ~/.ssh/authorized_keysPaste the public key content to it, save and quit.
Change the permision of the file/directory
$ chmod 700 ~/.ssh $ chmod 644 ~/.ssh/authorized_keys -
Change the SSH port from 22 to 2200, and disabled remote login of the root user
Edit configue file
$ sudo nano /etc/ssh/sshd-configIn hte file, change the
Port 22toPort 2200, andPermitRootLogin without-passwordtoPermitRootLogin no(Because in the configue filePasswordAuthentication nois already set to disable password login, doesn't need to change it.), save and qiut.Restart ssh service
$ sudo service sshd restart
-
Update package source list:
$ sudo apt-get update -
Upgrade all the application:
$ sudo apt-get upgrade
-
Install unattended-upgrades package
$ sudo apt-get install unattended-upgrades -
Eable the package to automatically manage package updates
$ sudo dpkg-reconfigure --priority=low unattended-upgrades
-
Check the ufw status
$ sudo ufw status -
Allow incoming connections for SSH (port 2200)
$ sudo ufw allow 2200/tcp -
Allow incoming connections for HTTP (port 80)
$ sudo ufw allow www -
Allow incoming connections for NTP (port 123)
$ sudo ufw allow 123/udp -
Eable the ufw
$ sudo ufw enable
6 - Configure The firewall to monitor for repeat unsuccessful login attempts and appropriately bans attackers
-
Install the necessary package:
$ sudo apt-get install fail2ban $ sudo apt-get install sendmail iptables-persistent -
Establish a Base Firewall
$ sudo iptables -A INPUT -i lo -j ACCEPT $ sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT $ sudo iptables -A INPUT -p tcp --dport 2200 -j ACCEPT $ sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT $ sudo iptables -A INPUT -p udp --dport 123 -j ACCEPT $ sudo iptables -A INPUT -j DROP -
See our current firewall rules
$ sudo iptables -S -
Adjusting the Fail2ban Configuration
$ sudo nano /etc/fail2ban/jail.localIn the file change the bantime:
bantime = 1800
Find the destemail, and change it to the email address that used to collect these messages:destemail = admin@example.com
Find theaction_mwl, change it to:action = %(action_mwl)s
Save and quit. -
Restarting the Fail2ban Service
$ sudo service fail2ban stop $ sudo service fail2ban start
-
Run the command below:
$ sudo dpkg-reconfigure tzdata -
Follow the screens to change the time zone.
-
Install Apache
$ sudo apt-get install apache2right now I can see the result on the result on http://52.34.247.81/
-
Install mod_wsgi
$ sudo apt-get install libapache2-mod-wsgi -
Install git
$ sudo apt-get install git
-
Clone the CatalogApp on Github:
$ cd /var/www $ git clone https://github.com/Nero5023/ConferenceCentral.git -
To make .git directory is not publicly accessible via a browser. Create a .htaccess file in the .git folder and put the following in this file:
RedirectMatch 404 /\.gitReference:serverfault
-
Make the
project.pyfile name to__init__.py -
Install pip , virtualenv (in /var/www/Catalog)
$ sudo apt-get install python-pipuseing pip install virtualenv, and enable virtualenv
$ sudo pip install virtualenv $ sudo virtualenv venv $ source venv/bin/activate -
Using pip install following nessary packages
$ sudo pip install Flask $ sudo pip install bleach $ sudo pip install oauth2client $ sudo pip install requests $ sudo pip install httplib2 $ sudo pip install redis $ sudo pip install passlib $ sudo pip install itsdangerous $ sudo pip install flask-httpauth -
Configure and Enable a New Virtual Host
$ sudo nano /etc/apache2/sites-available/CatalogApp.confAdd these content:
<VirtualHost *:80> ServerName 52.34.247.81 ServerAdmin admin@mywebsite.com WSGIScriptAlias / /var/www/CatalogApp/vagrant/flaskapp.wsgi <Directory /var/www/CatalogApp/vagrant/ItemCatalog/> Order allow,deny Allow from all </Directory> Alias /static /var/www/CatalogApp/vagrant/ItemCatalog/static <Directory /var/www/CatalogApp/vagrant/ItemCatalog/static/> Order allow,deny Allow from all </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>Eable virtual host:
$ sudo a2ensite CatalogApp -
Create the .wsgi File Create a file named flaskapp.wsgi with following commands:
cd /var/www/CatalogApp/vagrant/ sudo nano flaskapp.wsgiAdd these content:
#!/usr/bin/python import sys import logging logging.basicConfig(stream=sys.stderr) sys.path.insert(0,"/var/www/CatalogApp/vagrant/") from ItemCatalog import app as application application.secret_key = 'Add your secret key'Right now my directory tree(In the /var/www/):
CatalogApp --vagrant ----flaskapp.wsgi ----ItemCatalog ------static ------__init__.py -
Some error fix:
In the__init__.pychange the upload file path, backgound file path, client_secrets.json, fb_client_secrets.json to absolute path, -
In Facebook developer page, Google developer console, change the applicaiton oauth path to
http://ec2-52-34-247-81.us-west-2.compute.amazonaws.com/
Digital Ocean
Serversforhackers
Google Code
Udacity discussion
-
Install PostgreSQL
$ sudo apt-get install postgresql postgresql-contrib -
Do not allow remote connections in the
/etc/postgresql/9.1/main/pg_hba.confconfigure file, the default setting has already disabled remote connections -
Add a new user named catalog
$ sudo adduser catalog -
Log into PostgreSQL
$ sudo su - postgres $ psql -
Create a new role
CREATE ROLE catalog WITH CREATEDB; ALTER USER catalog WITH PASSWORD password;using
\ducan see the roles list -
Create database
CREATE DATABASE catalog WITH OWNER catalog; -
Connect to the database and lock down the permissions to only let "access_role" create tables
\c catalog REVOKE ALL ON SCHEMA public FROM public; GRANT ALL ON SCHEMA public TO access_role;Finally press
Control+Dto quit
Digital Ocean
Udacity discussion
-
Go to the Catalog app directory
$ cd /var/www/CatalogApp/vagrant/ -
Edit the
__init__.pyanddatabase_setup.pyfile:Change
engine = create_engine('sqlite:///categoryitems.db')toengine = create_engine('postgresql://catalog:passward@localhost/catalog') -
Restart Apache
$ sudo service apache2 restart
Now can visit the page thourgh http://ec2-52-34-247-81.us-west-2.compute.amazonaws.com/.
I learn a lot from error log (/var/log/apache2/)
Install Glances
$ sudo apt-get install python-pip build-essential python-dev
$ sudo pip install Glances
$ sudo pip install PySensors
Type glances in terminal to see the result.
unattended-upgrades
fail2ban
sendmail
iptables-persistent
apache2
libapache2-mod-wsgi
python-pip
virtualenv
Flask
bleach
oauth2client
requests
httplib2
redis
asslib
itsdangerous
flask-httpauth
postgresql
postgresql-contrib
Glances
PySensors
I disable the root login, so use this key to login with user grader