Recently we looked for video transcoding/hosting solution to use in one of our client’s projects.
Using amazon has many advantages. no contracts, pay as you go, easy and fast scaling in case your site explodes :)
Unfortunately the image that is refered in the Getting Started (ami-05d7336c) is not safe for production - it has openssh version with a serious security bug, but don’t worry, we will explain how to fix it.
Actually, you should always apply latest security patches and change ssh keys when using public AMI images in production. Or even better, bundle your own AMI image with all your changes and never use public ones in production.
OK, now lets get to work.
start ami instance
$ ec2-run-instances ami-05d7336c -k EC2_PUBLIC_KEY_NAME RESERVATION r-xxxxxxxx xxxxxxxxxxxx default INSTANCE i-xxxxxxx ami-05d7336c pending your_key 0 m1.small 2009-01-22T08:44:12+0000 us-east-1c
EC2_PUBLIC_KEY_NAME is the name of the keypair that you generated using ec2-add-keypair command. (see Amazon EC2 Getting Started Guide for details)
wait until it starts
$ ec2-describe-instances RESERVATION r-xxxxxx xxxxxxxxxxxxxx default INSTANCE i-xxxxxxx ami-05d7336c xxxxxxx.compute-1.amazonaws.com ip-xxxxxxxxx.ec2.internal running your_key 0 m1.small 2009-01-22T08:44:12+0000 us-east-1c
login into the instance
$ ssh -i key-c2a firstname.lastname@example.org The authenticity of host 'xxxx.compute-1.amazonaws.com (xxxxx)' can't be established. RSA key fingerprint is c4:e0:8e:cc:6a:b6:6f:63:8c:c2:5d:13:7e:77:36:a2. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'xxxx.compute-1.amazonaws.com,xxxxx' (RSA) to the list of known hosts. Last login: Wed Sep 24 10:43:28 2008 from zzzz Linux xxxxx.compute-1.amazonaws.com 2.6.16-xenU #1 SMP Mon May 28 03:41:49 SAST 2007 i686 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. panda:~#
The current source list
panda:~# apt-get update ... Reading package lists... Done panda:~#
Those are bug security fixes:
panda:~# apt-get upgrade -u Reading package lists... Done Building dependency tree... Done The following packages have been kept back: openssh-client openssh-server The following packages will be upgraded: bsdutils cpio debconf debconf-i18n dpkg dpkg-dev dselect e2fslibs e2fsprogs file findutils git-core initscripts irb1.8 libblkid1 libc6 libc6-amd64 libc6-dev libc6-dev-amd64 libc6-xen libcairo2 libcomerr2 libdbi-perl libfreetype6 libgnutls13 libkrb53 liblcms1 libmagic1 libmysqlclient15off libopenssl-ruby1.8 libpam-modules libpam-runtime libpam0g libpcre3 libpcre3-dev libpcrecpp0 libpq4 libpulse0 libqt3-mt libreadline-ruby1.8 libruby1.8 libruby1.9 libspeex1 libss2 libssl-dev libssl0.9.8 libtiff4 libuuid1 libvorbis-dev libvorbis0a libvorbisenc2 libvorbisfile3 libxine1 libxml2 locales login mount mplayer mysql-client-5.0 mysql-common openssl passwd perl perl-base perl-modules postfix python2.4 python2.4-minimal rdoc1.8 rsync ruby1.8 ruby1.8-dev ruby1.9 sysv-rc sysvinit sysvinit-utils tar tzdata unzip util-linux 80 upgraded, 0 newly installed, 0 to remove and 2 not upgraded. Need to get 77.1MB of archives. After unpacking 1220kB disk space will be freed. Do you want to continue [Y/n]? y Get:1 http://security.debian.org etch/updates/main login 1:126.96.36.199-7+etch1 [797kB] Get:2 http://ftp.debian.org etch/main bsdutils 1:2.12r-19etch1 [68.5kB] Get:3 http://ftp.debian.org etch/main dpkg 1.13.26 [2034kB] Get:4 http://security.debian.org etch/updates/main perl-modules 5.8.8-7etch6 [2328kB] Get:5 http://ftp.debian.org etch/main libc6-dev 2.3.6.ds1-13etch8 [2718kB] Get:6 http://security.debian.org etch/updates/main perl 5.8.8-7etch6 [3599kB] Get:7 http://ftp.debian.org etch/main libc6-dev-amd64 2.3.6.ds1-13etch8 [2015kB] Get:8 http://security.debian.org etch/updates/main perl-base 5.8.8-7etch6 [763kB] Get:9 http://ftp.debian.org etch/main libc6-amd64 2.3.6.ds1-13etch8 [3327kB] Get:10 http://security.debian.org etch/updates/main libssl-dev 0.9.8c-4etch4 [2094kB] Get:11 http://security.debian.org etch/updates/main libssl0.9.8 0.9.8c-4etch4 [2721kB] ... Get:79 http://ftp.debian.org etch/main unzip 5.52-9etch1 [152kB] Get:80 http://ftp.debian.org etch/main postfix 2.3.8-2+etch1 [1090kB] Fetched 77.1MB in 2m36s (494kB/s) Extracting templates from packages: 100% Preconfiguring packages ... ... Unpacking replacement tzdata ... Setting up tzdata (2008e-1etch3) ... Running 'tzconfig' to set this system's timezone. Your current time zone is set to Unknown Do you want to change that? [n]: y Please enter the number of the geographic area in which you live: 1) Africa 7) Australia 2) America 8) Europe 3) US time zones 9) Indian Ocean 4) Canada time zones 10) Pacific Ocean 5) Asia 11) Use System V style time zones 6) Atlantic Ocean 12) None of the above Then you will be shown a list of cities which represent the time zone in which they are located. You should choose a city in your time zone. Number: 12 GMT GMT+0 GMT+1 GMT+10 GMT+11 GMT+12 GMT+2 GMT+3 GMT+4 GMT+5 GMT+6 GMT+7 GMT+8 GMT+9 GMT-0 GMT-1 GMT-10 GMT-11 GMT-12 GMT-13 GMT-14 GMT-2 GMT-3 GMT-4 GMT-5 GMT-6 GMT-7 GMT-8 GMT-9 GMT0 Greenwich UCT UTC Universal Zulu Please enter the name of one of these cities or zones You just need to type enough letters to resolve ambiguities Press Enter to view all of them again Name:  UTC Your default time zone is set to 'Etc/UTC'. Local time is now: Thu Jan 22 09:03:14 UTC 2009. Universal Time is now: Thu Jan 22 09:03:14 UTC 2009. ... Setting up perl (5.8.8-7etch6) ... Setting up dpkg-dev (1.13.26) ... Setting up mysql-client-5.0 (5.0.32-7etch8) ... panda:~#
Notice 2 packages that were not upgraded: openssh-client and openssh-server
panda:~# apt-get install openssh-server Reading package lists... Done Building dependency tree... Done The following extra packages will be installed: openssh-blacklist openssh-client Suggested packages: ssh-askpass xbase-clients rssh molly-guard The following NEW packages will be installed: openssh-blacklist The following packages will be upgraded: openssh-client openssh-server 2 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 3006kB of archives. After unpacking 4096kB of additional disk space will be used. Do you want to continue [Y/n]? y ... Setting up openssh-server (4.3p2-9etch3) ... Creating SSH2 RSA key; this may take some time ... Creating SSH2 DSA key; this may take some time ... Restarting OpenBSD Secure Shell server: sshd. panda:~#
During the installation it created new sshd server keys.
check for vulnerable ssh keys
panda:~# ssh-vulnkey -a Not blacklisted: 2048 25:7b:b5:cf:ae:44:87:00:9d:b6:62:39:f9:4e:10:7d /etc/ssh/ssh_host_rsa_key.pub Not blacklisted: 1024 e2:26:98:52:ad:9f:2c:43:77:45:71:e9:87:17:7c:08 /etc/ssh/ssh_host_dsa_key.pub Not blacklisted: 2048 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx your-key panda:~#
update known_hosts file
you just changed server’s ssh key, so next time you try to login ssh will complain:
$ ssh -i your-key email@example.com @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Please contact your system administrator. Add correct host key in /Users/vitaly/.ssh/known_hosts to get rid of this message. Offending key in /Users/vitaly/.ssh/known_hosts:68 RSA host key for xxxxxxxxxxxxxxxxxx.compute-1.amazonaws.com has changed and you have requested strict checking. Host key verification failed.
Remove line with the old host key (filename and line number is given by ssh) and you will be able to login again
Just follow Panda Getting Started Guide starting with “Grab Panda”
bundle new AMI
Now you can create a new Amazon AMI image from your current instance. Refer to Amazon EC2 Getting Started Guide (section “Creating an Image”)