Posts in ‘ColdFusion’

Amazon EC2 + Railo Lockdown

Jan 18

For my own future reference, here are the steps I used to lock down an Amazon EC2 instance running the Railo image:

  1. SSH in as the ubuntu user. It should use your existing Amazon key pair. If it doesn’t, go read up on how EC2 works.

  2. Create a new user account and add the user to the admin group:

    sudo adduser fred
sudo adduser fred admin

  3. Copy your SSH key over to the new user:

    sudo mkdir -p /home/fred/.ssh
sudo cp ~/.ssh/authorized_keys /home/fred/.ssh/
sudo chown -R fred:fred /home/fred/.ssh
sudo chmod -R 0700 /home/fred/.ssh

  4. Add your new user to /etc/sudoers.

    export EDITOR=nano && sudo -E visudo
fred ALL=(ALL) ALL

  5. Logout. SSH back in as your new user.

  6. Remove the Railo admin password and restart Railo:

    sudo perl -p -i.bak -e 's/password=".+?"/password=""/g' /opt/railo/lib/railo-server/context/railo-server.xml
/etc/init.d/railo_ctl restart

  7. Reset your Railo Server password at http://./railo-context/admin/server.cfm. Set up a default password and reset all of the web context passwords.

  8. Change the Mango admin password by logging into http://./admin with admin/railo4all. Create a new user account with your own name while you are in there.

  9. Reset your mySQL password (current is railo4all) and make a new user:

    mysql -u root -p mysql
update user set password=password('newpassword') where user = 'root';
create user 'railo'@'127.0.0.1' identified by 'newpassword';
grant select, insert, update, delete, alter, index, drop, create on mango.* to 'railo'@'127.0.0.1';
flush privileges;
\q

    If you aren’t using ORM, your grant statement can be reduced to the first 4 CRUD operations.

  10. Go into your Railo Web Admin at http://./railo-context/admin/web.cfm and change the Mango datasource to use user railo and the new password. Lock down permissions appropriately.

  11. Set up Git, and make a repo to cover your web root:

    sudo apt-get install -y git-core
mkdir -p ~/git/www.git
cd ~/git/www.git
git init --bare
git config core.bare false
git config core.worktree /var/www
git config receive.denycurrentbranch ignore
sudo chown -R fred:fred /var/www
cat > /var/www/.gitignore
    WEB-INF
    ~*
    *~
    settings.xml
git add /var/www
git commit -m 'Created repo'
cat > hooks/post-update
    #!/bin/sh
    GIT_WORK_TREE=/var/www GIT_DIR=/home/fred/git/www.git git checkout -q -f
chmod +x hooks/post-update

    You should now be able to clone this repo with something like fred@host:git/www.git. Committing and pushing to Git checks out the files to your web root, so you never need to transfer anything manually unless it’s too big to put in Git.

  12. Fix SES URLs in Apache+Tomcat. You’ll need to edit /etc/apache2/apache2.conf to include a /*.cfm/* rule.

ColdFusion, Web     1 Comment
« Previous Entries