AWS Services Inconsistency

AWS still puzzles me at times. While the range of products and services is so huge and there is hardly something you cant accomplish with AWS at hand, still you find little gaps which can annoy, see my earlier discussion around VPC and VPN.

SimpleDB

I though every service would be accessible through the admin console. While looking for an alternative to place log data I came across AWS SimpleDB, just to learn there is no function in the web admin console to control it. I even created a support issue believing the service was not enabled for my account. You have to go through local html files (aka scratchpad) to access the console.

AWS Admin Console

SimpleDB Console

 

AWS MFA

While I can handle the above case, I cant appreciate the approach AWS chooses with the MFA they actively promote. Is a very good feature and you can opt for a hardware based MFA or a bit simlpler, with the virtual device. But here comes the contradiction, due to geo restrictions you cant download the AWS MFA app to your Android device if you dont have an US AWS account. Seriously, how much sense does this make ? I confirmed this with the AWS support.

You could go for an alternative solution with the Google Authenticator, but this creates a dependency to another third part which I am not willing to add, my “contract” is between AWS and me.

Is it related to this: http://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States ?

Hide Glassfish Server Information

Despite moving on to JBoss progressively I still share my findings, often they apply to other products too.

For a public facing server you want to reveal as little background information as possible. In Glassfish you can hide create custom 404 and 500 error pages (previous post), but you should also hide the server info that comes with the server header, easily revealed by a tool ike the Firefox plugin httpfox.

Response Header

There are 2 crucial settings you must change:

• JVM setting for product name: -Dproduct.name=”My App Server”
  

  JVM Settings

• Remove the “XPowered By” flag
  

  XPowered By

As result you will have a pretty generic response header

Response Header

Enforce password for Ubuntu user on EC2 instances

Using linux (Ubuntu) instances on Amazon EC2 is a quite safe thing to do, at least measured by the security provided by the platform (security groups, ACL, physical security,..). I recommend reading their security site here. At the end of the day the server is only as secure as you configure it, if you choose to open all ports running services with their default configurations and password settings, Amazon can’t help you.

When connecting to a Ubuntu server with ssh you need to provide the keyfile (somekeyfile.pem) that you can download when creating the key pair.

Key file

This 2048 bit key is required to login as regular ubuntu user. What I dislike is the fact that this user can sudo all, so once someone manage to get into you user account, he has root access too. I recommend to set a password for the ubuntu user and change the sudoers configuration.

Change the password for user ubuntu

Open the sudoers include file

sudo vi /etc/suderos.d/90-cloudimg-ubuntu or sudo vi /etc/sudoers

change last line from

ubuntu  ALL=(ALL) NOPASSWD:ALL

to

ubuntu ALL=(ALL) ALL

Glassfish and https running secure applications

By default Glassfish listens to http on port 8080 and https on port 8181.
It is better to listen to the default ports 80 for http and 443 for https, usually you dont want the user to enter port numbers as part of the URL.

Even the Glassfish Admin Console allows to change the ports (Configurations/Server Config/Network Config/Network Listener), certain server OS such as Ubuntu do not allow non-root users (you should run Glassfish as separate user !) to ports below 1024. We can achieve this by port rerouting with the iptables command (under Ubuntu)

iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8181
iptables-save -c > /etc/iptables.rules
iptables-restore < /etc/iptables.rules

vi /etc/network/if-pre-up.d/iptablesload
#!/bin/sh
iptables-restore < /etc/iptables.rules
exit 0

Additionally you can get a proper SSL certificate to stop annoying the user with a no proper certificate warning. See previous tutorial here.

SSL Error (Chrome)

If you operate an enterprise application with a known URL to the users, unlike a regular website where the portal should be reached with regular http, I would completely disable regular http.

Disable http

Glassfish V3.1.2 and SSL

After almost 3 years (see previous post) I revisit the topic this time using the latest version og Glassfish 3.1.2 and GoDaddy as certificate provider. I created a certificate for a sub-domain (sub.whateverdomain.com) this time and make use of the extremly cheap 5.99 U$/year offer (no wildcard included)

Let me summarize the key steps here: Continue reading →

Customized error pages for Glassfish V3

There are 2 main reason you want to create custom-made error pages to catch 404 (and others).

Default 404 Error Page

1. It is more professional to catch an error and guide the user either back to a start page or some kind of error handling (appearing as part of you application and not some default Glassfish page which leaves him pretty much nowhere).
2. You dont reveal any information about the application server and remove the most basic information for any hacker: What server software is running on this host ?

In Glassfish we can make use of 2 levels of error handling. At a global level, for the complete domain, and the application level. The application level error handling overrides the global handling. You can create a 404 error page that leads the user back to the application index and at the global level you create a message that does NOT contain a link to an application (entering a wrong context will show you there is no such application, but dont give you a hint where else to go!)

How to do it ?

Application Level

• Create a webpage in your web folder (eg. 404.html) with your application design template and add a link to the index page if necessary.
• Open the web.xml and add

  ...
   <error-page>
   <error-code>404</error-code>
   <location>/404.html</location>
   </error-page>
  </web-app>
  

• or use the assistant in Netbeans
  
  

  web.xml in Netbeans

Glassfish Global Level

• Open you admin console and add a new property
  send-error_1
  code=404 path=/tmp/404.html reason=Resource_not_found
  better: code=404 path=${com.sun.aas.instanceRoot}/docroot/404.html reason=Resource_not_found
  
  

  Glassfish Console

   

• or execute asadmin
  asadmin set server.http-service.virtual-server.server.property.send-error_1=”code=404 path=/tmp/404.html reason=Resource_not_found”
  
• or do it manually in the domain.xml

  ...
   <config name="server-config">
   <http-service>
   <access-log />
   <virtual-server id="server" network-listeners="http-listener-2,http-listener-1">
   <property name="send-error_1" value="code=404 path=/tmp/404.html reason=Resource_not_found" />
   </virtual-server>
   <virtual-server id="__asadmin" network-listeners="admin-listener" />
   </http-service>
  ...
  

• Remark: You should place the code=xxx in front the property string (like above sample). There are some forum threads and tutorials putting it at the end (which does not work for me).

Android Market Spam

I totally DO NOT favor Apple’s strategy with their censorship style 110% control of application and content that runs on their proprietary devices like iPad and iPhone ! But it seems with the Android market we are approaching the other end, total freedom and no control which opens eventually the floodgates for spam, trash applications or trojan horses. Here one sample, I observe some trashy girls pics applications showing up regularly in the Software Library section, obviously the guy keep on re-submitting into application areas with little traffic. Its not one but dozens of them, soon there will be so much of this stuff. And can you explain to me why an application that does nothing but showing pictures need to have access to your location, phone calls and Internet connection ?

Android Market Trash

PIcture Display with lots of access rights

New Book on Glassfish Security available

Getting involved more into security requirements of real life production setups running Glassfish, I searched  the web for this topic. So far there was no book available focusing on security concerns, this just changed a few days ago..
I just get my hands on the new book by Masoud Kalali, Glassfish Security by Packt Publishing. Find more info here. Just started reviewing it, will update you soon.

Getting started with Glassfish V3 and SSL

UPDATE 2013-03-22: Please check the updated tutorial with GoDaddy and Glassfish V3.1.2 here.

At some stage developing web applications (operating outside you fix lan-wired, “secure” in-house network), your customer will hit you asking “How secure is my data ? Can I access the system via https and get the golden lock ?”. You will quickly answer “No problem ! We use Glassfish” (just because you remember vaguely seeing some https settings in the GF admin tool). It is indeed not that hard to get started but if you are not an security expert and not joggling certificates around, it might take you a while to get your web application running with the golden lock. I will summarize the steps in this tutorial to setup a Glassfish V3 domain running with https.  Please feel free to comment and feedback, I am not an security expert either (…yet).

Used for this tutorial:

• Glassfish V3
• Java keytool
• Free 90 days SSL certificate from Comodo (link)

Pre-Requirements:

• A  server with an IP address and/or domain (www.somedomain.com). We need to be the owner of the domain (or at least the technical contact, more on that later)
• Basic knowledge of navigating around the Glassfish admin tool

Remarks:

• There are dozens of providers that sell you SSL certificates from 30 to 2000 U$ a year. Companies like Verisign, Thawte and Comodo being the more known ones. I cant give a recommendation nor judge the individual companies.
  Find a list of providers here http://www.dmoz.org/Computers/Security/Public_Key_Infrastructure/PKIX/Tools_and_Services/Third_Party_Certificate_Authorities
• We (as in ‘user’) use security in the web on a daily base (you do online banking, right ?), but trying to understand and appreciate the underlying protocols and technologies throws a steep learning curve at us ! If you want to get started a few helpful links (in case you want to have some clue while talking to a customer):
  • http://en.wikipedia.org/wiki/HTTP_Secure
  • http://en.wikipedia.org/wiki/Transport_Layer_Security
  • http://en.wikipedia.org/wiki/Certificate_authority
  • http://www.verisign.com/ssl/ssl-information-center/how-ssl-security-works/index.html
• I recommend doing this tutorial with a test setup, not a productive environment.
• The tutorial shall help you get running, I do not attempt to explain all the details, you can refer to the links above and dive into any level of details you wish to. There are dozens of options, parameters and settings, this tutorial only attempts to make it running. From there you can experiment with settings, different certificates, etc.

Continue reading →

Getting Started with Netbeans and Shiro – Part 1

Apache Shiro (formerly known as JSecurity and KI) is a security framework that handles authentication, authorization, enterprise session management and cryptography. With the move from sourceforge to Apache the GPL license turned into the Apache license. The current version is still 0.9 (still JSecurity), but you can build yourself a current version until the version is released. Shiro is NOT basd on JAAS.

Pre-Requirements for this tutorial:

• Netbeans (any newer version 6.5.1 + already installed)
• Maven (assuming most people dont use it yet)
• Shiro code base (via svn)
• Ubuntu (applies only to the installation of maven) Continue reading →