Categories
Amazon Web Services AWS EC2 Elastic Load Balancing Linux SSL Windows

AWS Elastic Load Balancing

Elastic Load Balancing provides round robin web call distribution across a set of identical web instances. In addition to ease of administration it keeps an eye on the health of instances in the pool and auto routes traffic around any problem instances that show up.

Here is the summary from Amazon.

Elastic Load Balancing – Elastic Load Balancing automatically distributes incoming application traffic across multiple Amazon EC2 instances. It enables you to achieve even greater fault tolerance in your applications, seamlessly providing the amount of load balancing capacity needed in response to incoming application traffic. Elastic Load Balancing detects unhealthy instances within a pool and automatically reroutes traffic to healthy instances until the unhealthy instances have been restored. You can enable Elastic Load Balancing within a single Availability Zone or across multiple zones for even more consistent application performance. Amazon CloudWatch can be used to capture a specific Elastic Load Balancer’s operational metrics, such as request count and request latency, at no additional cost beyond Elastic Load Balancing fees.

Fees: $0.025 per hour for each Elastic Load Balancer, plus $0.008 per GB of data transferred through an Elastic Load Balancer.

Elastic Load Balancing Commands

Command Name —–> Description

  • elb-configure-healthcheck —–> Configure the parameters for checking the health of instances registered with a LoadBalancer
  • elb-create-lb —–> Create a new LoadBalancer
  • elb-delete-lb —–> Deletes an existing LoadBalancer
  • elb-deregister-instances-from-lb —–> Deregisters Instances from a LoadBalancer
  • elb-describe-instance-health —–> Describes the state of Instances
  • elb-describe-lbs —–> Describes the state and properties of LoadBalancers
  • elb-disable-zones-for-lb —–> Remove Availability Zones from an LoadBalancer
  • elb-enable-zones-for-lb —–> Add Availability Zones to existing LoadBalancer
  • elb-register-instances-with-lb —–> Registers Instances to a LoadBalancer

Use –help in conjunction with any of the preceding commands for more information and usage examples.

Categories
Amazon Web Services AWS EC2 Linux Passwords Windows

AWS EC2 Windows Passwords, Users, and Authentication

The default password on the Windows Administrator account is set automatically on all instances to a random value by the ec2Config service. You can retrieve the password originally set by using the ec2-get-password command, as shown here:

C:>ec2-get-password i- -k gsg-keypair.txt

Alternatively, you may use the “Get Administrator Password” command in ElasticFox by right-clicking on the instance. The first time you use this feature in ElasticFox you will be asked to set your gsg-keypair. This is the keypair you generated when you first configured your AWS account. The path to the gsg-keypair file is stored in the ec2ui.last.ec2privatekey.file Firefox variable.

Error in ElasticFox: “Invalid EC2 Private Key”

Reference: Windows on Amazon EC2 Security Guide

Categories
Amazon Web Services AWS EC2 Encryption FTP Linux Passwords PuTTY S3 SSH Windows

A quick overview of PuTTY and SSH for AWS Newbies

Linux Access with SSH & PuTTY

This post will (attempt) to explain what SSH and PuTTY are so that as a user you understand the terminology of AWS and so that you can be productive in the environment. This post will not attempt to make you an expert in SSH. For best practices in implementing SSH, I strongly recommend a book dedicated to hardening *nix (Linux, Unix, Solaris, etc).

SSH

In the early days, not that long ago really, of networking, very simple tools were used to work with remote computers: telnet as a console, ftp for file copying, rsh for remote command execution and others. These were easy to configure and use tools. They were client server in that a software component needed to run on both the local machine (client) and the remote machine (server).

While easy to use, they were very insecure. They made no pretense at verifying that the calling host really was the calling host. Everything was username/password based and both the username and the password were passed around the network in cleartext. If you intercepted the little data packages that were being routed around the network (with a sniffer for example), you would be able to extract the login credentials. Even if you encrypted all of your data, your credentials were still in the clear.

SSH is an attempt (quite successful) to fix those insecurities without making things anymore complex than they need to be. SSH stands for Secure SHell. However, SSH is not really a command shell, it is rather a protocol that encrypts communications. That means that programs that use SSH can work like telnet or ftp but will be more secure.

Note: Technically, SSH is also a tool. There is a client terminal program called SSH. It’s a non-graphical command line tool that provides a window which executes a command shell on the remote system.

SSH offers multiple modes of connecting but for the purposes of AWS, we will talk about key based access. To make things more secure, EC2 uses a key based authentication. Before starting an instance, you need to create a key pair.

Note: The below explanation of SSH is a gross over simplification. I am just trying to give you a feel for what is going on. If you really want to understand the technical details, I really do recommend that you purchase a book. My personal recommendation is SSH, The Secure Shell: The Definitive Guide from O’Reilly.

When an instance starts up for the first time, EC2 copies the ssh key that you created to the proper directory on the remote server. The remote server will be running the SSH Server software.

You will then use an SSH client to connect to the server. The client will ask for some information proving that the server really is who it says it is. The first time you connect to a server, the client won’t have that information available so it will prompt you to vertify that the server is legitimate.

You verify that information by comparing a thumbprint. Verifying a host is a bit beyond this book but do an internet search for for “ssh host thumbprint”. You’ll find a variety of articles explaining it in detail.

Once the client accepts the host, the client will send secret information to the host. This is your key data. If the host is able to make a match, it will authenticate you and let you login in. If the host then asks for a password, you key did not work and something is not configured properly. In my experience, it will probably be that your client key file is not in the place your client is expecting it to be.

What happens next depends on the tool you are using. If you are using a terminal program, ssh for example, you will now have a command prompt. If you are using sftp or scp, you will be able to copy files.

In addition to command line tools, there are GUI tools that use the SSH protocol. WinSCP is an excellent SCP client for Windows.

Regardless of the tools you use, SSH is busy encrypting everything you send over the wire. The SSH protocol has evolved over the years, and will probably evolve even more in the future, but it is currently running a very secure form of encryption.

If you are running Linux, you are pretty much finished at this point. SSH ships with every Linux distribution that I am aware of. If you are using Windows, however, you either need to install CyWin (a unix environment that runs in windows), or you’ll want to get PuTTY.
PuTTY

You can download all of the programs discussed in this section at:

http://www.chiark.greenend.org.uk/~sgtatham/putty/

I honestly have no idea why PuTTY is spelled PuTTY. I can figure the TTY part of it is from the Unix command that output a display. I’m not sure bout the Pu though.

I do know what PuTTY is though. PuTTY is a very simple implementation of an MS-Windows SSH terminal client. When I say it is simple, I mean that as a complement. This is a tool that does not get in the way.

You tell PuTTY to connect to a remote server and, as long as your keys are configured, it will connect you. If are not using keys, you can connect with passwords (if the host allows that). As a best practice, keys are recommends over passwords.

PuTTY is the terminal client but you can get a couple of other tools from the same author. PSFTP and PSCP offer secure file transfers. These tools are as easy to use as PuTTY and work pretty much the same way.

For command line syntax and configuration, take a look at the documentation at the link above.

A note about SSH keys and PuTTY, they are not compatible. This same web site offers a utility called PuTTYgen. When you create a key pair for EC2, you download that file to your local machine. PuTTYgen converts that file (a .pem file) to a private key file (a .ppk file).

PuTTY Key Generator


PuTTY Key Generator

The tool is named puttygen.exe. Run the executable and the above window pops up. To convert an amazon key to a PuTTY key, use the menu option Conversions ? Import Key. Load the .pem file that you downloaded and press the Save Private Key button.

It will warn you about leaving the passphrase blank. That’s ok.

Save the file to the location that PuTTY has been configured to look in for it’s keys.

Categories
Amazon Web Services AWS EC2 Linux PuTTY PuTTYgen SSH Windows

Connecting to AWS EC2 (Linux) Instance With PuTTY via SSH

In order to connect to an Amazon Web Services EC2 Linux instance using PuTTY over SSH you must generate a PPK file from your private key, then import the PPK to PuTTY.  PuTTY does not natively support the private key format generated by Amazon EC2, therefore PuttyGen must be used to convert keys to its internal format.

First, associate the private key (<keyname>.PEM) with the instance to which you want to connect using PuTTYgen.  Click on the Load button and browse to the location of your private key (you will probably have to change the file type to All Files (*.*)).  If all goes well you will see the message “Successfully imported foreign key. . .”

Click OK, then click Save Private Key.

Click Yes when PuTTYgen prompts you about saving the key without a passphrase.

Save the key as <keyname>.ppk.

Next launch Putty to open an SSH session and tell Putty to use that PPK file — NOT the PEM file! Expand connection, SSH, and select Auth. Click the browse button next to the Private key file for authentication: field, and select the .PPK file you just created with Puttygen.

Under category on the left go back to Session and Save the session.  Then click Open to connect.

Possible error messages with incorrect credentials.
* Putty failed: “Disconnected: No supported authentication methods available”
* Server refused our key

Keywords:

aws ssh instance

connecting to aws instance with putty

ec2 putty

how do you use putty with aws instance

access aws using putty

aws key file putty puttygen

aws putty

aws putty ppk pem

aws puttygen

connect to aws instance with putty
Categories
Amazon Web Services AWS Linux Windows

Linux Crontab Cheat Sheet

### Crontab Configuration: updates site every day at 0327 hours as root – shouldn’t tax the server to run every day
### On several of my sites, I run this command every hour with little impact
### REFERENCE –> http://www.adminschoice.com/docs/crontab.htm
### REFERENCE –> http://www.crontabrocks.org/
crontab -e
27 3 * * * perl /usr/local/awstats/wwwroot/cgi-bin/awstats.pl -update -config=pl-1.tbs.studiocom.com >/dev/null 2>&1

######################### CRONTAB syntax
* * * * * command to be executed
– – – – –
| | | | |
| | | | +—– day of week (0 – 6) (Sunday=0)
| | | +——— month (1 – 12)
| | +————- day of month (1 – 31)
| +—————– hour (0 – 23)
+——————— min (0 – 59)

Categories
Amazon Web Services AWS EC2 Linux Security SSH Ubuntu VPN wifi Windows

Escaping Restrictive/Untrusted Networks with OpenVPN on EC2

Perhaps you are behind a corporate firewall which does not allow you to access certain types of resources on the Internet. Or, perhaps you are accessing the Internet over an open wifi where you do not trust your network traffic to your fellow wifi users or the admins running the local network.

These instructions guide you in setting up an OpenVPN server on an EC2 instance, sending all your network traffic through a secure channel to port 80 on the EC2 instance and from there out to the Internet.

EC2 Instance
Run the latest Ubuntu 8.10 Intrepid image. You can find the most current AMI id in a table on http://alestic.com

ec2-run-instances –key ami-0372946a

Make a note of the instance id (e.g., i-6fceba06). Watch the status using a command like this (replace with your own instance id):

ec2-describe-instances

Repeat the describe instances command until it shows that the instance is “running” and make a note of the external hostname (e.g., ec2-75-101-179-94.compute-1.amazonaws.com).

Connect to the instance using the external hostname you noted. (Note: When running the Ubuntu images from Canonical use the “ubuntu” user instead of “root”).

remotehost=
remoteuser=root
ssh -i .pem $remoteuser@$remotehost

OpenVPN Server
Upgrade the EC2 instance and install the necessary OpenVPN software:

sudo apt-get update && sudo apt-get upgrade -y
sudo apt-get install -y openvpn
sudo modprobe tun
sudo modprobe iptable_nat
echo 1 sudo tee /proc/sys/net/ipv4/ip_forward
sudo iptables -t nat -A POSTROUTING -s 10.4.0.1/2 -o eth0 -j MASQUERADE

Generate a secret key for secure communication with OpenVPN:

sudo openvpn –genkey –secret ovpn.key

Start the OpenVPN server on the EC2 instance. We are (ab)using port 80 because most closed networks will allow traffic to this port 😉

sudo openvpn
–proto tcp-server
–port 80
–dev tun1
–secret ovpn.key
–ifconfig 10.4.0.1 10.4.0.2
–daemon

OpenVPN Client
Back on the local (non-EC2) workstation, set up the software:

sudo apt-get install -y openvpn
sudo modprobe tun
sudo iptables -I OUTPUT -o tun+ -j ACCEPT
sudo iptables -I INPUT -i tun+ -j ACCEPT

Download the secret key from the EC2 instance:

ssh -i .pem $remoteuser@$remotehost ‘sudo cat ovpn.key’ > ovpn.key
chmod 600 ovpn.key

Start the OpenVPN client:

sudo openvpn
–proto tcp-client
–remote $remotehost
–port 80
–dev tun1
–secret ovpn.key
–redirect-gateway def1
–ifconfig 10.4.0.2 10.4.0.1
–daemon

Edit /etc/resolv.conf and set it so that DNS is resolved by the EC2 name server:

sudo mv /etc/resolv.conf /etc/resolv.conf.save
echo “nameserver 172.16.0.23” sudo tee /etc/resolv.conf

You should now be able to access any Internet resource securely and without restriction.

Teardown
When you are done with this OpenVPN tunnel, remember to shut down the EC2 instance and restore the DNS configuration:

sudo killall openvpn
ec2-terminate-instances
sudo mv /etc/resolv.conf.save /etc/resolv.conf

If you have ways to improve this approach, please leave a comment.

Disclaimer
These instructions are not intended to assist in illegal activities. If you are breaking the laws or rules of your government or college or company or ISP, then you should understand the security implications of the above steps better than I do and be willing to accept consequences of your actions.