– we create awesome web applications
vitaly 50x50
Jan 22th 2009

Securing Panda AMI Instance for Production.

vitaly rails, ruby, it, security, devops

Recently we looked for video transcoding/hosting solution to use in one of our client’s projects.

The best thing we’ve found is Panda. It runs on Amazon stack of services including ec2, s3, and simpledb.

Using amazon has many advantages. no contracts, pay as you go, easy and fast scaling in case your site explodes :)

Unfortunately the image that is refered in the Getting Started (ami-05d7336c) is not safe for production - it has openssh version with a serious security bug, but don’t worry, we will explain how to fix it.

Actually, you should always apply latest security patches and change ssh keys when using public AMI images in production. Or even better, bundle your own AMI image with all your changes and never use public ones in production.

OK, now lets get to work.

start ami instance

$ ec2-run-instances ami-05d7336c -k EC2_PUBLIC_KEY_NAME
RESERVATION	r-xxxxxxxx	xxxxxxxxxxxx	default
INSTANCE	i-xxxxxxx	ami-05d7336c			pending	your_key	0		m1.small	2009-01-22T08:44:12+0000	us-east-1c

EC2_PUBLIC_KEY_NAME is the name of the keypair that you generated using ec2-add-keypair command. (see Amazon EC2 Getting Started Guide for details)

wait until it starts

$ ec2-describe-instances
RESERVATION	r-xxxxxx	xxxxxxxxxxxxxx	default
INSTANCE	i-xxxxxxx	ami-05d7336c	xxxxxxx.compute-1.amazonaws.com	ip-xxxxxxxxx.ec2.internal	running	your_key	0		m1.small	2009-01-22T08:44:12+0000	us-east-1c

login into the instance

$ ssh -i key-c2a [email protected]
The authenticity of host 'xxxx.compute-1.amazonaws.com (xxxxx)' can't be established.
RSA key fingerprint is c4:e0:8e:cc:6a:b6:6f:63:8c:c2:5d:13:7e:77:36:a2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'xxxx.compute-1.amazonaws.com,xxxxx' (RSA) to the list of known hosts.
Last login: Wed Sep 24 10:43:28 2008 from zzzz
Linux xxxxx.compute-1.amazonaws.com 2.6.16-xenU #1 SMP Mon May 28 03:41:49 SAST 2007 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
panda:~#

update apt

The current source list

panda:~# apt-get update
...
Reading package lists... Done
panda:~#

upgrade packages

Those are bug security fixes:

panda:~# apt-get upgrade -u
Reading package lists... Done
Building dependency tree... Done
The following packages have been kept back:
  openssh-client openssh-server
The following packages will be upgraded:
  bsdutils cpio debconf debconf-i18n dpkg dpkg-dev dselect e2fslibs e2fsprogs file findutils git-core initscripts irb1.8 libblkid1 libc6 libc6-amd64 libc6-dev libc6-dev-amd64
  libc6-xen libcairo2 libcomerr2 libdbi-perl libfreetype6 libgnutls13 libkrb53 liblcms1 libmagic1 libmysqlclient15off libopenssl-ruby1.8 libpam-modules libpam-runtime libpam0g
  libpcre3 libpcre3-dev libpcrecpp0 libpq4 libpulse0 libqt3-mt libreadline-ruby1.8 libruby1.8 libruby1.9 libspeex1 libss2 libssl-dev libssl0.9.8 libtiff4 libuuid1 libvorbis-dev
  libvorbis0a libvorbisenc2 libvorbisfile3 libxine1 libxml2 locales login mount mplayer mysql-client-5.0 mysql-common openssl passwd perl perl-base perl-modules postfix python2.4
  python2.4-minimal rdoc1.8 rsync ruby1.8 ruby1.8-dev ruby1.9 sysv-rc sysvinit sysvinit-utils tar tzdata unzip util-linux
80 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.
Need to get 77.1MB of archives.
After unpacking 1220kB disk space will be freed.
Do you want to continue [Y/n]? y
Get:1 http://security.debian.org etch/updates/main login 1:4.0.18.1-7+etch1 [797kB]
Get:2 http://ftp.debian.org etch/main bsdutils 1:2.12r-19etch1 [68.5kB]
Get:3 http://ftp.debian.org etch/main dpkg 1.13.26 [2034kB]
Get:4 http://security.debian.org etch/updates/main perl-modules 5.8.8-7etch6 [2328kB]
Get:5 http://ftp.debian.org etch/main libc6-dev 2.3.6.ds1-13etch8 [2718kB]
Get:6 http://security.debian.org etch/updates/main perl 5.8.8-7etch6 [3599kB]                                                                                                       
Get:7 http://ftp.debian.org etch/main libc6-dev-amd64 2.3.6.ds1-13etch8 [2015kB]                                                                                                    
Get:8 http://security.debian.org etch/updates/main perl-base 5.8.8-7etch6 [763kB]                                                                                                   
Get:9 http://ftp.debian.org etch/main libc6-amd64 2.3.6.ds1-13etch8 [3327kB]                                                                                                        
Get:10 http://security.debian.org etch/updates/main libssl-dev 0.9.8c-4etch4 [2094kB]                                                                                               
Get:11 http://security.debian.org etch/updates/main libssl0.9.8 0.9.8c-4etch4 [2721kB]            
...
Get:79 http://ftp.debian.org etch/main unzip 5.52-9etch1 [152kB]                                                                                                                    
Get:80 http://ftp.debian.org etch/main postfix 2.3.8-2+etch1 [1090kB]                                                                                                               
Fetched 77.1MB in 2m36s (494kB/s)                                                                                                                                                   
Extracting templates from packages: 100%
Preconfiguring packages ...
...
Unpacking replacement tzdata ...
Setting up tzdata (2008e-1etch3) ...
Running 'tzconfig' to set this system's timezone.
Your current time zone is set to Unknown
Do you want to change that? [n]: y

Please enter the number of the geographic area in which you live:


    1) Africa			7) Australia

    2) America			8) Europe

    3) US time zones		9) Indian Ocean

    4) Canada time zones		10) Pacific Ocean

    5) Asia				11) Use System V style time zones

    6) Atlantic Ocean		12) None of the above


Then you will be shown a list of cities which represent the time zone
in which they are located. You should choose a city in your time zone.

Number: 12

GMT GMT+0 GMT+1 GMT+10 GMT+11 GMT+12 GMT+2 GMT+3 GMT+4 GMT+5 GMT+6 GMT+7
GMT+8 GMT+9 GMT-0 GMT-1 GMT-10 GMT-11 GMT-12 GMT-13 GMT-14 GMT-2 GMT-3
GMT-4 GMT-5 GMT-6 GMT-7 GMT-8 GMT-9 GMT0 Greenwich UCT UTC Universal Zulu

Please enter the name of one of these cities or zones
You just need to type enough letters to resolve ambiguities
Press Enter to view all of them again
Name: [] UTC
Your default time zone is set to 'Etc/UTC'.
Local time is now:      Thu Jan 22 09:03:14 UTC 2009.
Universal Time is now:  Thu Jan 22 09:03:14 UTC 2009.

...
Setting up perl (5.8.8-7etch6) ...

Setting up dpkg-dev (1.13.26) ...
Setting up mysql-client-5.0 (5.0.32-7etch8) ...
panda:~#

Notice 2 packages that were not upgraded: openssh-client and openssh-server

upgrade openssh

panda:~# apt-get install openssh-server 
Reading package lists... Done
Building dependency tree... Done
The following extra packages will be installed:
  openssh-blacklist openssh-client
Suggested packages:
  ssh-askpass xbase-clients rssh molly-guard
The following NEW packages will be installed:
  openssh-blacklist
The following packages will be upgraded:
  openssh-client openssh-server
2 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 3006kB of archives.
After unpacking 4096kB of additional disk space will be used.
Do you want to continue [Y/n]? y
...
Setting up openssh-server (4.3p2-9etch3) ...
Creating SSH2 RSA key; this may take some time ...
Creating SSH2 DSA key; this may take some time ...
Restarting OpenBSD Secure Shell server: sshd.

panda:~#

During the installation it created new sshd server keys.

check for vulnerable ssh keys

panda:~# ssh-vulnkey  -a
Not blacklisted: 2048 25:7b:b5:cf:ae:44:87:00:9d:b6:62:39:f9:4e:10:7d /etc/ssh/ssh_host_rsa_key.pub
Not blacklisted: 1024 e2:26:98:52:ad:9f:2c:43:77:45:71:e9:87:17:7c:08 /etc/ssh/ssh_host_dsa_key.pub
Not blacklisted: 2048 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx your-key
panda:~#

update known_hosts file

you just changed server’s ssh key, so next time you try to login ssh will complain:

$ ssh -i your-key [email protected]
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Please contact your system administrator.
Add correct host key in /Users/vitaly/.ssh/known_hosts to get rid of this message.
Offending key in /Users/vitaly/.ssh/known_hosts:68
RSA host key for xxxxxxxxxxxxxxxxxx.compute-1.amazonaws.com has changed and you have requested strict checking.
Host key verification failed.

Remove line with the old host key (filename and line number is given by ssh) and you will be able to login again

install panda

Just follow Panda Getting Started Guide starting with “Grab Panda”

bundle new AMI

Now you can create a new Amazon AMI image from your current instance. Refer to Amazon EC2 Getting Started Guide (section “Creating an Image”)

We are hiring
The Rails 4 Way

We are proud that our own Vitaly Kushner co-authored "The Rails 4 Way" together with Rails legend Obie Fernandes of Hashrocket fame.

"The Rails 4 Way" is the latest edition of the most comprehensive, authoritative guide to delivering production-quality code with Rails 4.