Enforce password for Ubuntu user on EC2 instances

Using linux (Ubuntu) instances on Amazon EC2 is a quite safe thing to do, at least measured by the security provided by the platform (security groups, ACL, physical security,..). I recommend reading their security site here. At the end of the day the server is only as secure as you configure it, if you choose to open all ports running services with their default configurations and password settings, Amazon can’t help you.

When connecting to a Ubuntu server with ssh you need to provide the keyfile (somekeyfile.pem) that you can download when creating the key pair.

Key file

This 2048 bit key is required to login as regular ubuntu user. What I dislike is the fact that this user can sudo all, so once someone manage to get into you user account, he has root access too. I recommend to set a password for the ubuntu user and change the sudoers configuration.

Change the password for user ubuntu

Open the sudoers include file

sudo vi /etc/suderos.d/90-cloudimg-ubuntu or sudo vi /etc/sudoers

change last line from

ubuntu  ALL=(ALL) NOPASSWD:ALL

to

ubuntu ALL=(ALL) ALL

Glassfish and https running secure applications

By default Glassfish listens to http on port 8080 and https on port 8181.
It is better to listen to the default ports 80 for http and 443 for https, usually you dont want the user to enter port numbers as part of the URL.

Even the Glassfish Admin Console allows to change the ports (Configurations/Server Config/Network Config/Network Listener), certain server OS such as Ubuntu do not allow non-root users (you should run Glassfish as separate user !) to ports below 1024. We can achieve this by port rerouting with the iptables command (under Ubuntu)

iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8181
iptables-save -c > /etc/iptables.rules
iptables-restore < /etc/iptables.rules

vi /etc/network/if-pre-up.d/iptablesload
#!/bin/sh
iptables-restore < /etc/iptables.rules
exit 0

Additionally you can get a proper SSL certificate to stop annoying the user with a no proper certificate warning. See previous tutorial here.

SSL Error (Chrome)

If you operate an enterprise application with a known URL to the users, unlike a regular website where the portal should be reached with regular http, I would completely disable regular http.

Disable http

Glassfish V3.1.2 and SSL

After almost 3 years (see previous post) I revisit the topic this time using the latest version og Glassfish 3.1.2 and GoDaddy as certificate provider. I created a certificate for a sub-domain (sub.whateverdomain.com) this time and make use of the extremly cheap 5.99 U$/year offer (no wildcard included)

Let me summarize the key steps here: Continue reading →

Customized error pages for Glassfish V3

There are 2 main reason you want to create custom-made error pages to catch 404 (and others).

Default 404 Error Page

1. It is more professional to catch an error and guide the user either back to a start page or some kind of error handling (appearing as part of you application and not some default Glassfish page which leaves him pretty much nowhere).
2. You dont reveal any information about the application server and remove the most basic information for any hacker: What server software is running on this host ?

In Glassfish we can make use of 2 levels of error handling. At a global level, for the complete domain, and the application level. The application level error handling overrides the global handling. You can create a 404 error page that leads the user back to the application index and at the global level you create a message that does NOT contain a link to an application (entering a wrong context will show you there is no such application, but dont give you a hint where else to go!)

How to do it ?

Application Level

• Create a webpage in your web folder (eg. 404.html) with your application design template and add a link to the index page if necessary.
• Open the web.xml and add

  ...
   <error-page>
   <error-code>404</error-code>
   <location>/404.html</location>
   </error-page>
  </web-app>
  

• or use the assistant in Netbeans
  
  

  web.xml in Netbeans

Glassfish Global Level

• Open you admin console and add a new property
  send-error_1
  code=404 path=/tmp/404.html reason=Resource_not_found
  better: code=404 path=${com.sun.aas.instanceRoot}/docroot/404.html reason=Resource_not_found
  
  

  Glassfish Console

   

• or execute asadmin
  asadmin set server.http-service.virtual-server.server.property.send-error_1=”code=404 path=/tmp/404.html reason=Resource_not_found”
  
• or do it manually in the domain.xml

  ...
   <config name="server-config">
   <http-service>
   <access-log />
   <virtual-server id="server" network-listeners="http-listener-2,http-listener-1">
   <property name="send-error_1" value="code=404 path=/tmp/404.html reason=Resource_not_found" />
   </virtual-server>
   <virtual-server id="__asadmin" network-listeners="admin-listener" />
   </http-service>
  ...
  

• Remark: You should place the code=xxx in front the property string (like above sample). There are some forum threads and tutorials putting it at the end (which does not work for me).

Android Market Spam

I totally DO NOT favor Apple’s strategy with their censorship style 110% control of application and content that runs on their proprietary devices like iPad and iPhone ! But it seems with the Android market we are approaching the other end, total freedom and no control which opens eventually the floodgates for spam, trash applications or trojan horses. Here one sample, I observe some trashy girls pics applications showing up regularly in the Software Library section, obviously the guy keep on re-submitting into application areas with little traffic. Its not one but dozens of them, soon there will be so much of this stuff. And can you explain to me why an application that does nothing but showing pictures need to have access to your location, phone calls and Internet connection ?

Android Market Trash

PIcture Display with lots of access rights

New Book on Glassfish Security available

Getting involved more into security requirements of real life production setups running Glassfish, I searched  the web for this topic. So far there was no book available focusing on security concerns, this just changed a few days ago..
I just get my hands on the new book by Masoud Kalali, Glassfish Security by Packt Publishing. Find more info here. Just started reviewing it, will update you soon.

Getting started with Glassfish V3 and SSL

UPDATE 2013-03-22: Please check the updated tutorial with GoDaddy and Glassfish V3.1.2 here.

At some stage developing web applications (operating outside you fix lan-wired, “secure” in-house network), your customer will hit you asking “How secure is my data ? Can I access the system via https and get the golden lock ?”. You will quickly answer “No problem ! We use Glassfish” (just because you remember vaguely seeing some https settings in the GF admin tool). It is indeed not that hard to get started but if you are not an security expert and not joggling certificates around, it might take you a while to get your web application running with the golden lock. I will summarize the steps in this tutorial to setup a Glassfish V3 domain running with https.  Please feel free to comment and feedback, I am not an security expert either (…yet).

Used for this tutorial:

• Glassfish V3
• Java keytool
• Free 90 days SSL certificate from Comodo (link)

Pre-Requirements:

• A  server with an IP address and/or domain (www.somedomain.com). We need to be the owner of the domain (or at least the technical contact, more on that later)
• Basic knowledge of navigating around the Glassfish admin tool

Remarks:

• There are dozens of providers that sell you SSL certificates from 30 to 2000 U$ a year. Companies like Verisign, Thawte and Comodo being the more known ones. I cant give a recommendation nor judge the individual companies.
  Find a list of providers here http://www.dmoz.org/Computers/Security/Public_Key_Infrastructure/PKIX/Tools_and_Services/Third_Party_Certificate_Authorities
• We (as in ‘user’) use security in the web on a daily base (you do online banking, right ?), but trying to understand and appreciate the underlying protocols and technologies throws a steep learning curve at us ! If you want to get started a few helpful links (in case you want to have some clue while talking to a customer):
  • http://en.wikipedia.org/wiki/HTTP_Secure
  • http://en.wikipedia.org/wiki/Transport_Layer_Security
  • http://en.wikipedia.org/wiki/Certificate_authority
  • http://www.verisign.com/ssl/ssl-information-center/how-ssl-security-works/index.html
• I recommend doing this tutorial with a test setup, not a productive environment.
• The tutorial shall help you get running, I do not attempt to explain all the details, you can refer to the links above and dive into any level of details you wish to. There are dozens of options, parameters and settings, this tutorial only attempts to make it running. From there you can experiment with settings, different certificates, etc.

Continue reading →

Getting Started with Netbeans and Shiro – Part 1

Apache Shiro (formerly known as JSecurity and KI) is a security framework that handles authentication, authorization, enterprise session management and cryptography. With the move from sourceforge to Apache the GPL license turned into the Apache license. The current version is still 0.9 (still JSecurity), but you can build yourself a current version until the version is released. Shiro is NOT basd on JAAS.

Pre-Requirements for this tutorial:

• Netbeans (any newer version 6.5.1 + already installed)
• Maven (assuming most people dont use it yet)
• Shiro code base (via svn)
• Ubuntu (applies only to the installation of maven) Continue reading →

JEE5 Security

Any new project or product that is used by more than 1 user and over any kind of network needs the “TripleA” AAA features: Authorization, Authentication, Auditing. That’s a must !

I am reading about the JEE5 Security features to outline a new design, or at least I try to find some comprehensive information about it. It seems one of the most important framework services is still being largely developed handmade according to the needs of specific project requirements and no generic solution is available (I think I need to rephrase this after some more investigation). I could  not find many books or online sources with samples or easy-digestible tutorials, just to share what I found so far. JAAS is part of JRE since version 1.4 and most of the information about is a bit old (2002).

SUN
SUN JAVA SE security (link) (link)
SUN JAAS Tutorial (link)

3rd Party Security Framework (based on JAAS)
JGuard on SourceForge.net (link)
ESAPI  on OWASP (link)

Books
Free JAAS Book (link)
Software Security Technologies (covering security in Java, C, Perl)

Software Security Technologies