Monday, January 13, 2020

linux - How to SSH to ec2 instance in VPC private subnet via NAT server




I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. So, there is a NAT server in public subnet which forward all outbound traffic from private subnet to outer network.



Currently, I can SSH from public subnet to private subnet, also SSH from NAT to private subnet.
However, what I want is SSH from any machine(home laptop, office machine and mobile) to instances in private subnet.



I have done some research that I can setup the NAT box to forward SSH to instance in private subnet. But I got not luck for this.



Can anyone list what I need to setup to make this possible.



Naming are :




laptop (any device outside the VPC)



nat (the NAT server in the public subnet)



destination (the server in the private subnet which I want to connect to)



Not sure following are limitations or not:



The "destination" does not have a public IP, only a subnet ip, for example 10.0.0.1

The "destination" can not connect to "nat" via nat's public.
There are several "destination" servers, do I need to setup one for each?



Thanks


Answer



You can set up a bastion host to connect to any instance within your VPC:



http://blogs.aws.amazon.com/security/post/Tx3N8GFK85UN1G6/Securely-connect-to-Linux-instances-running-in-a-private-Amazon-VPC



You can choose to launch a new instance that will function as a bastion host, or use your existing NAT instance as a bastion.




If you create a new instance, as an overview, you will:



1) create a security group for your bastion host that will allow SSH access from your laptop (note this security group for step 4)



2) launch a separate instance (bastion) in a public subnet in your VPC



3) give that bastion host a public IP either at launch or by assigning an Elastic IP



4) update the security groups of each of your instances that don't have a public IP to allow SSH access from the bastion host. This can be done using the bastion host's security group ID (sg-#####).




5) use SSH agent forwarding (ssh -A user@publicIPofBastion) to connect first to the bastion, and then once in the bastion,SSH into any internal instance (ssh user@private-IP-of-Internal-Instance). Agent forwarding takes care of forwarding your private key so it doesn't have to be stored on the bastion instance (never store private keys on any instance!!)



The AWS blog post above should be able to provide some nitty gritty regarding the process. I've also included the below in case you wanted extra details about bastion hosts:



Concept of Bastion Hosts:
http://en.m.wikipedia.org/wiki/Bastion_host



If you need clarification, feel free to comment.


linux - CentOS: eror when removing file: "rm: cannot remove '.viminfo': No such file or directory"

I have a file named .viminfo in home directory. I can see that the file is there by ls -lh:



$ ls lh
...
drwxr-xr-x. 2 mt1022 1091 4.0K Oct 12 2016 .vim
-?????????? ? ? ? ? ? .viminfo
-rw-r--r--. 1 mt1022 1091 305 Nov 9 2013 .vimrc
...



However I cannot delete this file:



$ rm .viminfo
rm: cannot remove '.viminfo': No such file or directory


I saw somewhere that such files are corrrupted can be deleted by inode number. However, when I run ls -i I got the following output for the file:



145563901919042729 .cpan            144115239380596661 .vim     

145563901918974272 .cpanm ? .viminfo
145564136279985406 .dask 144115238810163333 .vimrc


I also tried sudo chmod g+x .viminfo (answer to a very similar post on this site). I still got no such file or directory error.



My question is How to delete such a corrupted file?







additional info that might be helpful:




  1. The file is stored on a lustre file system.

  2. The file was normal before and become corrupted after a recent sudden power outage.

  3. The file is not fixed during fsck.

redhat - Apache Config: RSA server certificate CommonName (CN) ... NOT match server name?

I'm getting this in error_log when I start Apache:




[Tue Mar 09 14:57:02 2010] [notice] mod_python: Creating 4 session mutexes based on 300 max processes and 0 max threads.
[Tue Mar 09 14:57:02 2010] [warn] RSA server certificate CommonName (CN) `*.foo.com' does NOT match server name!?
[Tue Mar 09 14:57:02 2010] [warn] RSA server certificate CommonName (CN) `www.bar.com' does NOT match server name!?

[Tue Mar 09 14:57:02 2010] [notice] Apache configured -- resuming normal operations


Child processes then seem to seg fault:




[Tue Mar 09 14:57:32 2010] [notice] child pid 3425 exit signal Segmentation fault (11)
[Tue Mar 09 14:57:35 2010] [notice] child pid 3433 exit signal Segmentation fault (11)
[Tue Mar 09 14:57:36 2010] [notice] child pid 3437 exit signal Segmentation fault (11)



Server is RHEL, what's going on and what do I need to do to fix this?



EDIT
As requested, the dump from httpd -M:




Loaded Modules:
core_module (static)
mpm_prefork_module (static)

http_module (static)
so_module (static)
auth_basic_module (shared)
auth_digest_module (shared)
authn_file_module (shared)
authn_alias_module (shared)
authn_anon_module (shared)
authn_default_module (shared)
authz_host_module (shared)
authz_user_module (shared)

authz_owner_module (shared)
authz_groupfile_module (shared)
authz_default_module (shared)
include_module (shared)
log_config_module (shared)
logio_module (shared)
env_module (shared)
ext_filter_module (shared)
mime_magic_module (shared)
expires_module (shared)

deflate_module (shared)
headers_module (shared)
usertrack_module (shared)
setenvif_module (shared)
mime_module (shared)
status_module (shared)
autoindex_module (shared)
info_module (shared)
vhost_alias_module (shared)
negotiation_module (shared)

dir_module (shared)
actions_module (shared)
speling_module (shared)
userdir_module (shared)
alias_module (shared)
rewrite_module (shared)
cache_module (shared)
disk_cache_module (shared)
file_cache_module (shared)
mem_cache_module (shared)

cgi_module (shared)
perl_module (shared)
php5_module (shared)
python_module (shared)
ssl_module (shared)
Syntax OK

Sunday, January 12, 2020

filesystems - EXT3 vs EXT4 vs XFS

Recently I read a lot about "new" file systems.



I checked some benchmarks that show MySQL working faster on EXT4 or XFS (and some other FS).



I also "found" that XFS and EXT4 are included in CentOS 5.X




However most of the articles I read speaks either very positively either very negatively on XFS. Same for EXT4.



Despite I have some Debian's that work on EXT4, I do not have experience with it.



Questions are - Is it safe?



If power stops - what will happen and what data could be lost?



If system crashes what will happen and what data could be lost?




If memory or some hardware (not the HDD controller or HDD) broke - what will happen and what data could be lost...

linux - Restrict root ssh from all but one IP/hostname

I'm wanting to restrict root ssh login coming from all but a single IP address.



I was under the impression that I just had to add this to /etc/pam.d/sshd:



account required pam_access.so



and this to /etc/security/access.conf:



-:root:ALL EXCEPT IPADDRESS


but that doesn't seem to be working.

centos - Access linux machine by hostname within LAN?

I have a LAN setup with a bunch of windows and linux boxes. The LAN is built on top of the AT&T DSL Router. I don't have any type of DNS Server running. All the windows machines can identify themselves by machine name over the network. Even a Linux NAS box can also be accessible by machine name. However, I recently built a CentOS linux box and I want it to be accessible by machine name. I've tried setting the hostname but it does not work. Can someone help me with this problem?

mod cache - Apache caching based on cookie

I'm trying to put mod_cache in front of my application server to cache "public" requests but not requests from logged-in users. For various reasons using alternate subdomains or paths isn't a viable option for me. I have the basics set up as:



# Expiry and cache-control
SetEnvIf Cookie "NOCACHE" no-cache
Header set Cache-Control "no-cache" env=no-cache
RequestHeader set X-FW-NoCache "on" env=no-cache
ExpiresActive On
ExpiresDefault "access plus 1 days"
#ExpiresByType text/html "now"
CacheEnable disk /

CacheRoot /var/cache/apache
CacheIgnoreHeaders Set-Cookie
#CacheIgnoreCacheControl on
#CacheIgnoreNoLastMod on
RewriteEngine On

# Search Engine Safe URL rewrite
# Redirect Coldfusion requests to index.cfm
# matches /file.mp4 but not /file:name.mp4 (ie; is a real file)
RewriteCond %{REQUEST_FILENAME} !/[^/:]+\.[^/:]{2,5}$

RewriteRule (.*) /index.cfm$1 [PT,L]


So if Apache sees the NOCACHE cookie it will always pass the request to the application server, even if it has it in cache. It mostly works but there's one issue that's causing me some grief.



If you visit the page without the cookie you will get a cached version with a future expiry date. If you then set the cookie and go back to that page the request is not sent because the browser has its own cached copy with a future expiry date.



How do I modify this so the browser always makes a request and the cache sends a 304 or cached copy WITHOUT asking the application server to reprocess it? In other words how do I tell the mem_cache to cache the file but not the client and downstream proxies?



I tried using ExpiresByType text/html "now" but then the cache wont cache it at all - even when CacheIgnoreCacheControl is on.




I also played around with CacheIgnoreNoLastMod but didn't have any luck finding a solution.

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...