Signing in with password only is not much secure way of authentication,it would be nice if we can add additional security layer.

Go to Azure Active Directory-User-All users-click on Multi-Factor Authentication

 

Capture.PNG

To set additional options click service settings

 

2.png

We can allow users to set password for non-browser apps (outlook,for example),verification options,and allow bypass multi-factor authentication

 

3.PNG

Select user for who we want to enable MFA

4.png

Next time users logs in he’ll get this message

5.PNG

Select how user will get authentication code:

 

6.png

 

7.PNG

On mobile phone install Microsoft authenticator and scan QR image

8.PNG

9.PNG

If you wish,add additional verification

10.PNG

When user is prompted for code, he just needs to open Microsoft Authenticator and to provide password and code

8-1.png

Advertisements
  • Register to Bitbucket (it’s free).
  • Create Repository

1

2

  • Copy code after registration,it will be used to connect to GIT

5

Download GIT client

Choose default editor

3

4

Start Git CMD, browse to folder where you want to store files for GIT

9

CloneĀ  repository:

git clone https://draganvucanovic@bitbucket.org/draganvucanovic/terraform-git.git

You’ll be prompted for Bitbucket username/password

new folder (repository name) will be created, to that folder copy files you want to push to Git

6.PNG

In Git CMD, browse to that folder

Set username/email address, add files for pushing and commit it

cd terraform-git/
git config --global user.name "some@email"
git config --global user.email "some@email"
git add .
$ git commit -m "test"
git push

 

8

 

 

 

In previous post we configured EC2 instance for System Manager Service and executed command manually against EC2 instance.That’s nice, but we can schedule command execution using Lambda.In this example we’ll schedule powershell command which will check if instance is in idle mode (no RDP connection) and, if yes, instance will be stopped.

In that way we’ll save some money šŸ™‚

First, install System Manager agent on your Windows instance, create IAM System Manager role and assign that role to your instances.Refer to my previous post for more info.

Then add 2 tags:Auto_Stop_Enabled-True and Instance_Used_As_Desktop (so we can filter instances this command will be run against)

2

You can skip these tags creations but also don’t remember to remove is references from Powershell script.

Creating Lambda Function

From AWS console click on Services-Lambda (or just type Lambda in search bar)

2

Click Create function:

2

Enter a name for function-from Role drop-down menu choose create custom role and click Create function

2.PNG

Type a name and click Edit

2

Delete current JSON code and put this one instead:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"ssm:DescribeDocument",
"ssm:DescribeDocumentParameters",
"ssm:GetDocument",
"ssm:GetParameter"
],
"Resource": [
"arn:aws:ssm:*:*:document/*",
"arn:aws:ssm:*:*:parameter/*"
]
},
{
"Effect": "Allow",
"Action": [
"ssm:ListInventoryEntries",
"ssm:ListDocumentVersions",
"ssm:ListDocuments",
"ssm:SendCommand"
],
"Resource": "*"
}
]
}

After clicking Apply you’ll be redirected back to Create function-Click Create function

2.PNG

Now scroll down until Function code section-right click auto_stop-New folder-name it modules.

2.PNG

Now right click on modules folder-new-folder-give it name controls

2.PNG

Now, under controls folder create a file named index.js

2

Put following code into index.js Hibernation is Log name,AutoStopScript source name, If you don’t want EC2 tags, then remove

{
Name: "tag:Instance_Used_As",
Values: ["Desktop"]
},
{
Name: "tag:Auto_Stop_Enabled",
Values: ["True","true", "Yes", "yes"]
}
]

auto_stop/modules/control/index.js code:

// Import Dependencies
let AWS = require(‘aws-sdk’);

module.exports.getInstanceIds = () => {
return new Promise(
(resolve, reject) => {
let ec2 = new AWS.EC2();
let params = {
Filters: [
{ Name: “instance-state-name”,
Values: [“running”]
},
{
Name: “tag:Instance_Used_As”,
Values: [“Desktop”]
},
{
Name: “tag:Auto_Stop_Enabled”,
Values: [“True”,”true”, “Yes”, “yes”]
}
]
};

ec2.describeInstances(params, (err, data) => {
if (err) reject(err);

let instanceIds = [];
let reservations = “”;

try {
reservations = data.Reservations;
}
catch(err) {
reject(err);
}
if(Array.isArray(reservations)) {
reservations.forEach((reservation) => {
reservation.Instances.forEach((instance) =>{
instanceIds.push(instance.InstanceId);
});
});
if(instanceIds.length >= 1) {
resolve(
{
“InstanceIds”: instanceIds
}
);
}
else {
reject(new Error(“[Error] getInstanceIds: No instances found.”));
}
}
else {
reject(new Error(“[Error] getInstanceIds: Reservations is not an array.”));
}
});
}
);
};

module.exports.hibernateInstances = (controlObj) => {
return new Promise(
(resolve, reject) => {
let ec2 = new AWS.EC2();
let ssm = new AWS.SSM();

let instanceIds = controlObj.InstanceIds;

let params = {
InstanceIds: instanceIds
};

let ssmParams = {
InstanceIds: instanceIds,
DocumentName: “AWS-RunPowerShellScript”,
Parameters: {
“workingDirectory”:[“”],
“executionTimeout”:[“1200”],
“commands”:[
“########################”,
“#### VARIABLES #########”,
“########################”,
“$eventLogName = \”Hibernation\””,
“$eventSourceName = \”AutoStopScript\””,
“$eventLogIds = @{“,
” 1001 = \”Event log initialised.\”;”,
” 1002 = \”No active RDP sessions were found. Proceed to hibernate the instance.\”;”,
” 1003 = \”Active RDP session detected. Abort the hibernation attempt.\”;”,
” 1004 = \”Hibernation is enabled. Preparing for shutdown.\”;”,
” 3001 = \”CPU Usage is higher than the threshold. The hibernation is cancelled.\””,
” 4001 = \”Trouble accessing ‘qwinsta’ executable. Make sure ‘qwinsta’ is in the PATH.\”;”,
” 4002 = \”Trouble accessing ‘powercfg’. Make sure it is in PATH.\”;”,
” 4003 = \”Hibernation was not enabled successfully. Check C:\\ for enough drive space.\”;”,
” 4004 = \”Hibernation attempt failed. Please check if ‘shutdown’ is in PATH.\”;”,
“”,”}”,””,
“$mailMessages = @{“,
” hibernationEnableError = \”Error: Failed to enable hibernation.\”;”,
” hibernationStartError = \”Error: Failed to hibernate an instance.\”;”,”}”,”$minAverageCPU = 20 #If an instance has less than 20% average CPU usage in the period of 5 minutes, it will get shut down.”,””,”########################”,”#### INITIALIZATION ####”,”########################”,
“#### EVENT LOG INIT”,”Try {“,” $null = Get-EventLog -LogName $eventLogName -ErrorAction Stop”,”}”,”Catch {“,” Try {“,” New-EventLog -LogName $eventLogName -Source $eventSourceName -ErrorAction Stop”,” } “,” Catch {“,” #Noop”,” }”,” “,” Write-EventLog -LogName $eventLogName -Source $eventSourceName -EntryType Information -EventId 1001 -Category 1 -Message $eventLogIds.1001″,”}”,””,
“########################”,”#### FUNCTIONS #########”,”########################”,”# # Used to send notifications to the uses.”,”# Function Send-RESTMailMessage {“,”# Param (“,”# $Subject,”,”# $Message,”,”# $Recipient”,”# )”,”# $_headers = New-Object \”System.Collections.Generic.Dictionary[[String],[String]]\””,”# $_headers.Add(\”Content-Type\”, ‘application/json’)”,”# $_headers.Add(\”Cache-Control\”, ‘no-cache’)”,
“# $_headers.Add(\”x-api-key\”, ‘flREiNZkVK2lgGHWHUmxr1VPP8GIfLTz7uVH6eKz’)”,””,”# $body = @{“,”# subject=$Subject”,”# message=$Message”,”# auth_key=’sDfFXAk421412DSAkxKLaksdKASdFG'”,”# recipients=@($Recipient)”,”# }”,””,”# $body = $body | ConvertTo-JSON”,””,”# $response = Invoke-RestMethod -Uri \”https://ekiss3x6gl.execute-api.us-east-1.amazonaws.com/v1/notifications/system\” -Method Post -Headers $headers -Body $body”,”# return $response”,”# }”,
“”,”Function Get-ActiveRDPSessions {“,” # Check for any active RDP sessions.”,” # This function relies on \”qwinsta\” tool which comes bundled with Windows.p”,” # The function returns \”true\” if there are active RDP sessions or \”false\” if there aren’t any.”,” Param (“,” $EventLogName,”,” $EventSourceName,”,” $EventIds”,” )”,” Try {“,” $_allSessions = qwinsta”,” }”,” Catch {“,” Write-EventLog -LogName $EventLogName -Source $EventSourceName -EntryType Error -EventId 4001 -Category 4 -Message $EventIds.4001″,” return 1″,” }”,” “,” ForEach($_s in $_allSessions) {“,” If($_s -match \”rdp\” -and $_s -match \”Active\”) {“,” Write-EventLog -LogName $EventLogName -Source $eventSourceName -EntryType Information -EventId 1003 -Category 1 -Message $EventIds.1003″,” return \”ActiveSessionFound\””,” }”,” }”,” “,” Write-EventLog -LogName $EventLogName -Source $eventSourceName -EntryType Information -EventId 1002 -Category 1 -Message $EventIds.1002″,” return \”NoActiveSessionFound\””,”}”,””,”Function Enable-Hibernation {“,” Param (“,” $EventLogName,”,” $EventSourceName,”,” $EventIds”,” )”,””,” Try {“,” $_process = Start-Process powercfg -ArgumentList \”/h\”, \”on\” -PassThru -ErrorAction Stop”,” Start-Sleep -Seconds 3″,” }”,” Catch {“,” Write-EventLog -LogName $EventLogName -Source $EventSourceName -EntryType Error -EventId 4002 -Category 4 -Message $EventIds.4002″,” return 1″,” }”,””,” If ($_process.ExitCode -eq 0) {“,” Write-EventLog -LogName $EventLogName -Source $EventSourceName -EntryType Information -EventId 1004 -Category 1 -Message $EventIds.1004″,” return \”Enabled\””,””,” } “,” Else {“,” Write-EventLog -LogName $EventLogName -Source $EventSourceName -EntryType Error -EventId 4003 -Category 4 -Message $EventIds.4003″,” return 1″,” }”,”}”,””,”Function Start-Hibernation {“,” Param (“,” $EventLogName,”,” $EventSourceName,”,” $EventIds”,” )”,””,” Try {“,” $_process = Start-Process shutdown -ArgumentList \”/h\” -PassThru -ErrorAction Stop”,” }”,” Catch {“,” Write-EventLog -LogName $EventLogName -Source $EventSourceName -EntryType Error -EventId 4004 -Category 4 -Message $EventIds.4004″,” return 1″,” }”,”}”,””,”Function Check-CPUUsage {“,” $_samples = 5″,” $_intervalSeconds = 60″,” $_cpuLoadAverage = 0″,” For($i = 0; $i -ne $_samples; $i++) {“,” $_cpuLoadAverage += (Get-WmiObject win32_processor).LoadPercentage”,” Start-Sleep -Seconds $_intervalSeconds”,” }”,””,” return $_cpuLoadAverage / $_samples “,”}”,””,””,”########################”,”#### MAIN ##############”,”########################”,”$rdpSessionStatus = Get-ActiveRDPSessions -EventLogName $eventLogName -EventSourceName $eventSourceName -EventIds $eventLogIds”,””,”If ($rdpSessionStatus -eq \”NoActiveSessionFound\”) {“,” #Enable Hibernation”,” Enable-Hibernation -EventLogName $eventLogName -EventSourceName $eventSourceName -EventIds $eventLogIds”,” “,” If(Check-CPUUsage -lt $minAverageCPU) {“,””,””,” # TODO Notify User”,” # TODO Wait 10 minutes”,” # TODO Check for active RDP sessions again”,””,” #Hibernate”,” Start-Hibernation -EventLogName $eventLogName -EventSourceName $eventSourceName -EventIds $eventLogIds”,” }”,” Else {“,” Write-EventLog -LogName $EventLogName -Source $EventSourceName -EntryType Warning -EventId 3001 -Category 3 -Message $EventIds.3001″,” return 0″,” }”,”} “,”Else {“,” return 0″,”}”
]
},
MaxErrors: “0”,
TimeoutSeconds: 120
}

// Hibernate instances
ssm.sendCommand(ssmParams, function(err, data) {
if (err) reject(err);
resolve(data);
});
resolve(instanceIds);
console.log(instanceIds);
}
);
};

 

Now click on “parent” index.js (under auto_stop only)

 

2.PNG

paste following code (change AWS zone to fit your needs):

 

// Global Module Imports
let AWS = require(‘aws-sdk’);
AWS.config.region = “eu-west-1”;
let controls = require(“./modules/controls”);

// This is the function AWS Lambda will execute.
exports.handler = (event, context, callback) => {

// Execute the power control
controls.getInstanceIds()
.then(controls.hibernateInstances)
.catch((err) => {
callback(err);
});
};

At the end it should be like this:

 

2.PNG

 

Now, we need to schedule our function:

in Add trigger section click CloudWatch Events

 

2.PNG

Give it name and set schedule

 

You can use the following sample cron strings when creating a rule with schedule.

Minutes Hours Day of month Month Day of week Year Meaning
0 10 * * ? * Run at 10:00 am (UTC) every day
15 12 * * ? * Run at 12:15 pm (UTC) every day
0 18 ? * MON-FRI * Run at 6:00 pm (UTC) every Monday through Friday
0 8 1 * ? * Run at 8:00 am (UTC) every 1st day of the month
0/15 * * * ? * Run every 15 minutes
0/10 * ? * MON-FRI * Run every 10 minutes Monday through Friday
0/5 8-17 ? * MON-FRI * Run every 5 minutes Monday through Friday between 8:00 am and 5:55 pm (UTC)

 

In this example i set it to run every 20 minutes.

 

2.PNG

 

It should be something like this:

 

2

When you click on run_auto_stop_script you’ll get following picture:

 

2

 

If your instance is idle, it should be stopped. You can check it from AWS console-EC2-SYSTEM-MANAGER SHARED RESOURCES-Run Command

3.PNG

 

AWS Systems Manager is a management service that helps automatically collect software inventory, apply OS patches, create system images, and configure Windows and Linux operating systems (running scripts).

Creating System Manager role

In AWS console click on IAM

6

Roles-create role, choose EC2 and click next

Untitled.png

Then select EC2 Role for Simple Systems Manager and click Next

Untitled.png

in Attached permission policy select AmazonEC2RoleforSSM

Untitled

Click next, give role a name and click Create role

Assigning role to EC2 instance

In this example i used Windows Server 2016 EC2 instance.Select EC2 in list of services, select instance-Action-Instance Setting-Attach/Replace IAM Role

Untitled

Select System Manager Role and click Apply

Untitled

InstallingĀ  SSM agent

Login to EC2 instance,download and install SSM agent.Start service:

Start-Service AmazonSSMAgent

 

Running command

In AWS console-EC2 service-Scroll until SYSTEM MANAGER SHARED RESOURCES-Managed instances

 

Untitled.png

 

Select instance and click Run a command

Untitled.png

 

Select one of the commands

Untitled

 

Type command and click Run

Untitled.png

Click on Command ID

 

Untitled.png

 

Then click output-View Output

Untitled

 

Untitled.png

 

 

Amazon EC2-Changing instance type

Posted: April 24, 2018 in AWS, Linux

If we face hardware limitations of our EC2 instance, we can’t just increase Memory/CPU cores as in VMWare, instead we must change instance type.It’s set of predefined images with different hardware specifications.(More info here)

First,stop EC2 instance:

 

1

 

Then, from Action menu,select Instance Settings-Change Instance Type

 

2

 

Select instance type and click Apply

 

3

Now start instance. (Note that new public IP is assigned.The instance retains its private IPv4 addresses

In order to change subnet of EC2 instance stop it firs

 

1.png

 

Then create AMI image from that instance

 

2.png

 

 

3.PNG

Click on new AMI then launch it

 

4.png

 

Select desired subnet

 

5.png

 

 

6.PNG

 

New instance is in different subnet and data are preserved

 

7.PNG

Install sasld

yum install cyrus-sasl cyrus-sasl-plain cyrus-sasl-md5
systemctl start saslauthd

in /etc/postfix folder create file sasl_passwd and put username and password of mailbox which will be used as relay

[smtp.office365.com]:587 user@domain.com:Pass

To set default “from” to be this email open file /etc/postfix/generic

Add this at bottom (this is amazon AWS instance)

root@ip-1-18-23-1.company.com user@domain.com

All emails will be rewritten with in from field with one we just specified

postmap hash:/etc/postfix/sasl_passwd
postmap hash:/etc/postfix/generic

now add following lines in /etc/postfix/main.cf

relayhost = [smtp.office365.com]:587
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_auth_enable = yes
smtp_generic_maps = hash:/etc/postfix/generic
smtp_tls_security_level = may
smtp_sasl_security_options = noanonymous

Restart postfix service and you should be able to send emails through Office 365

If you get “Office 365 unreachable” error, in /etc/postfix/main.cf
change inet_protocols line from all to ipv4

Certificate authentication

If we want to secure our connection we can secure it with certificate:

openssl s_client -showcerts -starttls smtp -crlf -connect smtp.office365.com:587

In my case i got 2 certificates, i copied it in cacert.pem file

Capture.PNG

then add following lines to /etc/postfix/main.cf

smtp_send_dummy_mail_auth = yes
smtp_always_send_ehlo = yes
smtp_tls_security_level = encrypt
smtp_use_tls = yes
smtp_tls_CAfile = /etc/postfix/cacert.pem

Restart postfix service and your traffic is now encrypted