Amazon IAM user creation for single S3 bucket access

Login to AWS Management Console and from there select IAM:

1

From the IAM Console, click on the “Create new users” button in the toolbar, enter the name of the new user(You can give it any name like I gave it mymysqlbktos3) and then click “Create” button on the bottom of that form:

2

It will present you with the message “Your 1 User(s) has been created successfully“, Click “Download Credentials” button on the bottom to download the Security Credentials for that user, after that close the message box :

3

Select the new user and switch to the “Permissions” tab on the bottom, then click “Attach User Policy” button on that tab:

4

Select the “Custom Policy” and press “Select“:

5

Enter the Policy Name (Whatever you want, like I have entered the mysqlbktos3-policy) and Paste the following text as the Policy Document (Please change the Bucket Name, on which you want to give access to the following user, in my case the bucket name is mymysqlbk) and click “Apply Policy“:

{
 "Statement": [
 {
 "Effect": "Allow",
 "Action": ["s3:GetBucketLocation", "s3:ListAllMyBuckets"],
 "Resource": "arn:aws:s3:::*"
 },
 {
 "Effect": "Allow",
 "Action": ["s3:ListBucket" ],
 "Resource": [ "arn:aws:s3:::mymysqlbk"]
 },
 {
 "Effect": "Allow",
 "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject"],
 "Resource": [ "arn:aws:s3:::mymysqlbk/*"]
 }
 ]
}

6

Hope this will help you!

How to Install the latest version of s3cmd tool on Linux

Please install the required packages before installing the s3cmd tool and download the source zip from github:

sudo yum install unzip python-pip
wget https://github.com/s3tools/s3cmd/archive/master.zip

7

Unzip the downloaded source zip file and move to the unzipped directory:

unzip master.zip
cd s3cmd-master/

8

Once you have moved to the unzipped directory then just run this command:

sudo python setup.py install

9

Install the dateutil module, which is powerful extensions to the datetime module that is available in the Python standard library:

sudo pip install python-dateutil

10

Check the installed version of s3cmd tool:

s3cmd --version

s3cmd version

After installation, run the following command in order to configure the s3cmd tools using your AMAZON ACCESS KEY and SECRET KEY.

s3cmd --configure

11

Enjoy

How to Install the latest LEMP Stack on CentOS 6.5

In this tutorial,we’ll learn that how we can install the latest LEMP (Nginx, MySQL & PHP) Stack and it’s initial configuration on CentOS 6.5, because Base and EPEL repo are containing really old version of LEMP Stack.

Please add the required repos by using the following commands:

sudo rpm --import http://ftp.riken.jp/Linux/fedora/epel/RPM-GPG-KEY-EPEL-6
sudo rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
sudo rpm -Uvh http://mirror.webtatic.com/yum/el6/latest.rpm
sudo yum repolist

1

We’ll have mysql55-libs conflicts with mysql-libs error, if we’ll proceed like this. To resolve this conflict, we need to issue these commands:

sudo yum install yum-plugin-replace
sudo yum replace mysql-libs --replace-with mysql55w-libs

2

Now, we can safely issue this command to install the latest version of Nginx, MySQL and PHP with PHP-Fpm:

sudo yum install nginx16 mysql55w mysql55w-server php55w php55w-opcache php55w-fpm

3

Enable Nginx, MySQL and PHP-FPM to automatically begin when the server boot:

sudo chkconfig nginx on
sudo chkconfig mysqld on
sudo chkconfig php-fpm on

3a

Secure the PHP by editing the php.ini file:

sudo vi /etc/php.ini

4

Uncomment the cgi.fix_pathinfo and change it from 1 to 0:

cgi.fix_pathinfo=0

5

Edit the  /etc/php-fpm.d/www.conf  file:

sudo vi /etc/php-fpm.d/www.conf

6

Change the user and group:

user = nginx
group = nginx

7

Next we need to do some modification in default nginx.conf file:

sudo vi /etc/nginx/nginx.conf

8

Increase the worker processes from 1 to 4:

9

Also delete the default server config block to make the file more concise:

10

Move to the /etc/nginx/conf.d/ directory:

cd /etc/nginx/conf.d/

11

Next, we’ll create the virtual host file for our domain (In my case it’s rbgeek.conf):

sudo vi rbgeek.conf

12

This is a basic virtual host config file:

server {
       listen 80;
       server_name rbgeek.com;

       access_log /var/log/nginx/rbgeek_access.log main;
       error_log /var/log/nginx/rbgeek_error.log;
     
   location / {
       root /var/www/rbgeek;
       index index.php index.html index.htm;
   }
   
   # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000

   location ~ .php$ {
       root /var/www/rbgeek;
       fastcgi_pass 127.0.0.1:9000;
       fastcgi_index index.php;
       fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
       include fastcgi_params;
       fastcgi_intercept_errors on;
   }
}

13

Finally, restart the Nginx and PHP-FPM services:

sudo service nginx restart
sudo service php-fpm restart

13a

Create a directory structure for the website under /var/www/.If you have another preference, please update the config files accordingly:

sudo mkdir -p /var/www/rbgeek

14

Adjust the permission:

sudo chgrp -R nginx /var/www/rbgeek
sudo chmod g+s /var/www/rbgeek

15

Create a phpinfo page to verify that the php is working correctly with Nginx:

sudo vi /var/www/rbgeek/info.php

16

Add the following code in it:

<?php
phpinfo();
?>

17

Navigate to the site in web browser and verify that the php information is returned:

http://rbgeek.com/info.php

20

(Optional) Verify that all the packages are updated by using the code in your index page:

19

Hope this will help you!

Linux IPSec Site-to-Site VPN: AWS VPC & Cisco Router

In this tutorial, we will use the Site-to-Site VPN scenario with the modification and one of the customer site that is using Cisco router, which is also acting as gateway for LAN plus the vpn gateway while from the AWS side, we are using the exact same Ubuntu Linux router.

Please review the previous tutorial before starting this tutorial, as I’ll use the previous tutorial as the base for this one.

topologyNote: Please don’t waste your time in hacking, all these public devices and IP(s) are Temporary, I have destroyed them after finished this tutorial.

VPN Configuration on Cisco Site:

First step is to configure an ISAKMP Phase 1 policy:

crypto isakmp policy 1
encryption aes 128
hash sha
authentication pre-share
group 2

1

Next, we need to set the pre-shared key for authentication with the AWS peer:

crypto isakmp key $VER_SEC_PSK address 54.219.146.242

2

Next step is to create the transform set (We have named it AWSTrans), which will be used to protect the data:

crypto ipsec transform-set AWSTrans esp-aes esp-sha-hmac

3

After that we have to define the Traffic to be protected through the VPN Tunnel using the access-list:

ip access-list extended VPN-TRAFFIC
permit ip 192.168.168.0 0.0.0.255 10.100.0.0 0.0.255.255

5

Now, we need to define the Crypto Map which will connect the ISAKMP and IPSec configuration together, that we have defined above:

crypto map AWSMAP 10 ipsec-isakmp
 set peer 54.219.146.242
 set transform-set AWSTrans
 match address VPN-TRAFFIC

4

Apply the Crypto Map to the outgoing interface of the router (In our case, it is FastEthernet 0/0)

interface FastEthernet0/0
crypto map AWSMAP

7

Check the NAT access-list before proceeding:

NAT Show

Add the NAT Bypass entry inside the NAT access-list before the NAT entry, to exclude the AWS VPC Private Subnet(s) to be NAT’d:

ip access-list extended NAT-TRAFFIC
5 deny ip 192.168.168.0 0.0.0.255 10.100.0.0 0.0.255.255

6

NAT access-list after modification:

NAT after Change

VPN Configuration on AWS VPC:

Also allow the ICMP packet on internal subnet security group from the remote LAN for testing purpose:

0

Edit the ipsec.conf file:

vi /etc/ipsec.conf

Here is the addition to the ipsec.conf file (please refer to the ipsec.conf file from previous tutorial):

conn AWS2CiscoConnection
 left=10.100.10.10
 leftsubnets=10.100.0.0/16
 leftid=54.219.146.242
 leftsourceip=10.100.10.10
 right=25.109.210.75
 rightsubnets=192.168.168.0/24
 rightid=25.109.210.75
 pfs=no
 forceencaps=yes
 authby=secret
 auto=start

2

Edit the shared secret file:

vi /etc/ipsec.secrets

3

Mine ipsec.secrets file as an example:

4

Restart the IPSec Service & verify the Tunnel status on both Sides:

Restart the IPSec service on Ubuntu at AWS VPC:

service ipsec restart

6

Verify the status of IPSec service on Ubuntu at AWS VPC:

service ipsec status

5Note: Please don’t panic, just restart the service one more time if it didn’t come up.

Verify the status of IPSec Tunnel on Cisco:

show crypto isakmp sa

8

Verify that the Traffic is passing through the Tunnel:

Ping from the AWS vpn gateway to the Cisco LAN IP:

7

Ping from AWS VPC private Subnet to Cisco’s LAN for verification:

8

Ping from the Local machine to the machine on VPC Private subnet:

9

10

Linux IPSec Site-to-Site VPN: AWS VPC & Vyatta Firewall

In this tutorial, we will use the Site-to-Site VPN scenario with the modification and one of the customer site that is using Vyatta firewall, which is also acting as gateway for LAN plus the vpn gateway while from the AWS side, we are using the exact same Ubuntu Linux router.

Please review the previous tutorial before starting this tutorial, as I’ll use the previous tutorial as the base for this one.

vyatta-vpn-sNote: Please don’t waste your time in hacking, all these public devices and IP(s) are Temporary, I have destroyed them after finished this tutorial.

VPN Configuration on Vyatta Site:

First, we need to configure 2 NAT rules, to exclude the traffic between AWS VPC Private Subnet(s) and LAN to be NAT’d, Please place these rules above all other NAT rules:

set nat source rule 5 destination address '172.30.30.0/24'
set nat source rule 5 source address '10.100.0.0/16'
set nat source rule 5 outbound-interface 'eth0'
set nat source rule 5 'exclude'

1

set nat source rule 7 source address '172.30.30.0/24'
set nat source rule 7 destination address '10.100.0.0/16'
set nat source rule 7 outbound-interface 'eth0'
set nat source rule 7 'exclude'

2

In the next step, we need to define the Phase 1 and 2 policies:

set vpn ipsec ike-group IKE-AWS-POLICY lifetime '28800'
set vpn ipsec ike-group IKE-AWS-POLICY proposal 1 encryption 'aes128'
set vpn ipsec ike-group IKE-AWS-POLICY proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-AWS-POLICY proposal 1 dh-group '2'

3

set vpn ipsec esp-group ESP-AWS-POLICY lifetime '3600'
set vpn ipsec esp-group ESP-AWS-POLICY pfs disable
set vpn ipsec esp-group ESP-AWS-POLICY proposal 1 encryption 'aes128'
set vpn ipsec esp-group ESP-AWS-POLICY proposal 1 hash 'sha1'

4

Next step is VPN configuration, i.e assignment of previously created policies and shared secret etc.

set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer 54.219.146.242 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 54.219.146.242 authentication pre-shared-secret '$VER_SEC_PSK'
set vpn ipsec site-to-site peer 54.219.146.242 default-esp-group 'ESP-AWS-POLICY'
set vpn ipsec site-to-site peer 54.219.146.242 ike-group 'IKE-AWS-POLICY'
set vpn ipsec site-to-site peer 54.219.146.242 local-address '102.162.166.94'
set vpn ipsec site-to-site peer 54.219.146.242 tunnel 1 local prefix '172.30.30.0/24'
set vpn ipsec site-to-site peer 54.219.146.242 tunnel 1 remote prefix '10.100.0.0/16'

5

Finally, don’t forget to adjust your firewall rules as per your requirement:

set firewall name INSIDE-FW rule 10 action 'accept'
set firewall name INSIDE -FW rule 10 destination address '10.100.0.0/16'
set firewall name INSIDE-FW rule 10 source address '172.30.30.0/24'

6

set firewall name OUTSIDE-FW rule 10 action 'accept'
set firewall name OUTSIDE-FW rule 10 ipsec 'match-ipsec'

7

VPN Configuration on AWS VPC:

Also allow the ICMP packet on internal subnet security group from the remote LAN for testing purpose:

1

Edit the ipsec.conf file:

vi /etc/ipsec.conf

2

Here is the addition to the ipsec.conf file (please refer to the ipsec.conf file from previous tutorial):

conn AWS2VyattaConnection
 left=10.100.10.10
 leftsubnets=10.100.0.0/16
 leftid=54.219.146.242
 leftsourceip=10.100.10.10
 right=102.162.166.94
 rightsubnets=172.30.30.0/24
 rightid=102.162.166.94
 pfs=no
 forceencaps=yes
 authby=secret
 auto=start

3

Edit the shared secret file:

vi /etc/ipsec.secrets

4

Mine ipsec.secrets file as an example:

5

Restart the IPSec Service & verify the Tunnel status on both Sides:

Restart the IPSec service on Ubuntu at AWS VPC:

service ipsec restart

6

Reset the vpn tunnel on Vyatta:

reset vpn ipsec-peer 54.219.146.242

9

Verify the status of IPSec Tunnel on Ubuntu at AWS VPC:

service ipsec status

7

Verify the status of IPSec Tunnel on Vyatta:

show vpn ipsec sa

8

Verify the Route Table on both servers:

route -n

8

show ip route

12

Verify that the Traffic is passing through the Tunnel:

Ping from AWS VPC private Subnet to Vyatta’s LAN for verification:

9

Ping from Vyatta’s LAN  to AWS VPC private Subnet for verification:

10

11

Automated installation of LAMP stack on Ubuntu Server

In this tutorial, I’ll show you that how we can install the LAMP stack on Ubuntu Server interactively.

First create the script :

vi lamp.sh

1

Copy and Paste the following code into it (Modify the MySQL root Password,as per your requirement):

#!/bin/bash

#Instructions to use this script 
#
#chmod +x SCRIPTNAME.sh
#
#sudo ./SCRIPTNAME.sh

echo "###################################################################################"
echo "Please be Patient: Installation will start now.......and it will take some time :)"
echo "###################################################################################"

#Update the repositories

sudo apt-get update

#Apache, Php, MySQL and required packages installation

sudo apt-get -y install apache2 php5 libapache2-mod-php5 php5-mcrypt php5-curl php5-mysql php5-gd php5-cli php5-dev mysql-client
php5enmod mcrypt

#The following commands set the MySQL root password to MYPASSWORD123 when you install the mysql-server package.

sudo debconf-set-selections <<< 'mysql-server mysql-server/root_password password MYPASSWORD123'
sudo debconf-set-selections <<< 'mysql-server mysql-server/root_password_again password MYPASSWORD123'

sudo apt-get -y install mysql-server

#Restart all the installed services to verify that everything is installed properly

echo -e "n"

service apache2 restart && service mysql restart > /dev/null

echo -e "n"

if [ $? -ne 0 ]; then
   echo "Please Check the Install Services, There is some $(tput bold)$(tput setaf 1)Problem$(tput sgr0)
else
   echo "Installed Services run $(tput bold)$(tput setaf 2)Sucessfully$(tput sgr0)"
fi

echo -e "n"
 Then set the execute permission for your shell script:
chmod +x lamp.sh
3
Now, execute the shell script as sudo user:
sudo ./lamp.sh
4
Hope this will help you!

Linux IPSec Site-to-Site VPN: AWS VPC & Mikrotik Router

In this tutorial, we will use the Site-to-Site VPN scenario with the modification and one of the customer site that is using Mikrotik router, which is also acting as gateway for LAN plus the vpn gateway while from the AWS side, we are using the exact same Ubuntu Linux router.

Please review the previous tutorial before starting this tutorial, as I’ll use the previous tutorial as the base for this one.

mikto

Note: Please don’t waste your time in hacking, all these public devices and IP(s) are Temporary, I have destroyed them after finished this tutorial.

VPN Configuration on Mikrotik Site:

Open the IP->IPsec window in WinBox:

1

Create a new Proposal(if you don’t want to use the default) as follows:

2

Now, create a new policy as follows:

From the General Tab

Src Address: Mikrotik LAN 192.168.10.0/24 Subnet
Dst Address: AWS VPC 10.100.0.0/16 Private Subnet

3

From the Action Tab:

SA Src Address: MIkrotik WAN Address 102.162.166.90
SA Dst Address: AWS VPC Linux NAT Router WAN Address 54.219.146.242
Tick the Tunnel checkbox
For Proposal: Use LAN2AWSProposal or whatever proposal you have created in the first step.

4

Next, Move to the Peers tab and create a new peer by using the public address of AWS NAT Instance asAddress:

5

Next, create a NAT Bypass rule, to exclude the AWS VPC Private Subnet(s) to be natted:

nat1

nat2

Placed the above created rule at the top of all other NAT rule(s) and clear the connection table from existing connection or reboot the Mikrotik.

nat3

VPN Configuration on AWS VPC:

Also allow the ICMP packet on internal subnet security group from the remote LAN for testing purpose:

6a

Edit the ipsec.conf file:

vi /etc/ipsec.conf

1

Here is the addition to the ipsec.conf file (please refer to the ipsec.conf file from previous tutorial):

conn AWS2MikrotikConnection
 left=10.100.10.10
 leftsubnets=10.100.0.0/16
 leftid=54.219.146.242
 leftsourceip=10.100.10.10
 right=102.162.166.90
 rightsubnets=192.168.10.0/24
 rightid=102.162.166.90
 pfs=no
 forceencaps=yes
 authby=secret
 auto=start

2

Edit the shared secret file:

vi /etc/ipsec.secrets

3

Mine ipsec.secrets file as an example:

4

Restart the IPSec service:

service ipsec restart

5

Verify the status of IPSec service on Ubuntu at AWS VPC:

service ipsec status

6

Note: Please don’t panic, just restart the service one more time if it didn’t come up.

Verify that the Traffic is passing through the Tunnel:

Ping from the AWS vpn gateway to the Mikrotik LAN IP:

7

Ping from AWS VPC private Subnet to Mikrotik’s LAN for verification:

8

Ping from the Local machine to the machine on VPC Private subnet:

7

8

VERY Useful Tip:

If the Tunnel didn’t come up after the configuration, just restart the server and also start the ping from your LAN host to other side LAN host.