Published November 18, 2018 by

Install Let's Encrypt SSL with Apache on CentOS


In this tutorial, we are learning, with step-by-step instructions on how to install Let’s Encrypt SSL certificate with Apache on CentOS. Let’s Encrypt is an open SSL Certificate Authority (CA) that offers free domain-validated (DV) certificates for your websites. SSL Certificates are used to establish a secure encrypted connection between a web server and a user’s web browser. The SSL certificates that have been issued by Let’s Encrypt are valid for 90 days and are trusted by most web browsers today.

Step 1: Install CertBot
 $ yum -y install epel-release  
 $ yum install httpd mod_ssl python-certbot-apache  


Step 2: Set Up the SSL Certificate

Install Let’s Encrypt SSL certificate on your domain (change ‘yourdomain.com’ with your actual domain):
$ sudo certbot --apache -d example.com --preferred-challenges http  

If you want to install a single certificate that is valid for multiple domains or subdomains, you can pass them as additional parameters to the command. The first domain name in the list of parameters will be the base domain used by Let’s Encrypt to create the certificate, and for that reason we recommend that you pass the bare top-level domain name as first in the list, followed by any additional subdomains or aliases
$ sudo certbot --apache -d example.com -d www.example.com --preferred-challenges http  

Step 3: Renew the SSL certificate


Insert below command for renewing SSL certificate.
$ sudo certbot renew

Step 4: Auto-Renew the SSL certificate with a cronjob

Create a cronjob so the SSL certificate is renewed automatically. Run:
$ crontab -e  

and add the following line.
0 0 1 * * /usr/bin/certbot renew >> /var/log/letsencrypt-renew.log  

Save and close that file and restart cron service for the changes to take effect.
$ /sbin/service crond restart  

Open https://yourdomain.com in a web browser, and check whether Let’s Encrypt SSL is installed properly.


Read More
Published November 16, 2018 by

Install Let's Encrypt SSL with Apache on Ubuntu


In this tutorial, we are learning, with step-by-step instructions on how to install Let’s Encrypt SSL certificate with Apache on Ubuntu. Let’s Encrypt is an open SSL Certificate Authority (CA) that offers free domain-validated (DV) certificates for your websites. SSL Certificates are used to establish a secure encrypted connection between a web server and a user’s web browser. The SSL certificates that have been issued by Let’s Encrypt are valid for 90 days and are trusted by most web browsers today.

Step 1 — Install the Let's Encrypt Client
 $ sudo add-apt-repository ppa:certbot/certbot  
 $ sudo apt-get update  
 $ sudo apt-get install python-certbot-apache  

Step 2: Set Up the SSL Certificate

Install Let’s Encrypt SSL certificate on your domain (change ‘yourdomain.com’ with your actual domain):
 $ sudo certbot --apache -d example.com --preferred-challenges http  

If you want to install a single certificate that is valid for multiple domains or subdomains, you can pass them as additional parameters to the command. The first domain name in the list of parameters will be the base domain used by Let’s Encrypt to create the certificate, and for that reason we recommend that you pass the bare top-level domain name as first in the list, followed by any additional subdomains or aliases
 $ sudo certbot --apache -d example.com -d www.example.com --preferred-challenges http  

Step 3: Auto-Renew the SSL certificate with a cronjob

Create a cronjob so the SSL certificate is renewed automatically. Run:
 $ crontab -e  

and add the following line.
 0 0 1 * * /usr/bin/letsencrypt renew >> /var/log/letsencrypt-renew.log  

Save and close that file and restart cron service for the changes to take effect.
 $ service cron restart  

Open https://yourdomain.com in a web browser, and check whether Let’s Encrypt SSL is installed properly.


Read More
Published November 16, 2018 by

Send an Email Alert When System Disk Space Gets Low

Step 1: Get Disk Space

 df -h  

Step 2: Next filter out file system and find out the percentage of space

 (df / | grep / | awk '{ print $5}' | sed 's/%//g')  

Step 3: Write a shell script

If you don't want to step up to a full monitoring solution such as Nagios you can create your own scripts for monitoring the things that you want to monitor, such as disk space. The following script alerts you when your root partition is almost full.

 #!/bin/bash  
 CURRENT=$(df / | grep / | awk '{ print $5}' | sed 's/%//g')  
 THRESHOLD=90  
   
 if [ "$CURRENT" -gt "$THRESHOLD" ] ; then  
   mail -s 'Disk Space Alert' it.subhashpatel@gmail.com << EOF  
 Your root partition remaining free space is critically low. Used: $CURRENT%  
 EOF  
 fi
The script sends an email when the disk usage rises above the percentage specified by the THRESHOLD variable (90% here).

To run it daily, for example, save the script to the file disk-alert.sh in /opt directory, change the email to your email, and add the following line at the end of /etc/crontab file.

 @daily /opt/disk-alert.sh  
Read More
Published November 13, 2018 by

How to Setup AWS S3 Access From Specific IPs


Recently we were testing with AWS VPC, and a requirement for our project was that we needed to allow nodes within a VPC access to S3 buckets, but deny access from any other IP address. Specifically, this was accessing of data that was going to be secured using AWS IAM keys. We needed to make sure that even with the AWS access key and secret key, data could only be retrieved while inside the VPC. Adding yet another layer of security to our existing model.

By default, accounts are restricted from accessing S3 unless they have been given access via policy. However, S3 is designed by default to allow any IP address access. So to block IP's you would have to specify denies explicitly in the policy instead of allows.

Allow Access to Specific IP Addresses
 <div class="code">  
 {  
   "Id": "S3PolicyId1",  
   "Statement": [  
     {  
       "Sid": "IPDeny",  
       "Effect": "Deny",  
       "Principal": {  
         "AWS": "*"  
       },  
       "Action": "s3:*",  
       "Resource": "arn:aws:s3:::bucket/*",  
       "Condition": {  
         "IpAddress": {  
           "aws:SourceIp": "54.240.143.188/32"  
         }  
       }  
     }  
   ]  
 }  
 </div>  

Restrict Access to Specific IP Addresses
 {  
  "Version": "2012-10-17",  
  "Id": "S3PolicyId1",  
  "Statement": [  
   {  
    "Sid": "IPAllow",  
    "Effect": "Allow",  
    "Principal": "*",  
    "Action": "s3:*",  
    "Resource": "arn:aws:s3:::bucket/*",  
    "Condition": {  
      "NotIpAddress": {"aws:SourceIp": "54.240.143.188/32"}   
    }   
   }   
  ]  
 }  
This could be used as well for added layers of security with your existing applications that use/access S3 - not just nodes within a VPC. I hope this helps someone out there from any undue stress when trying to securing your S3 access.
Read More

,