Amazon EC2 + Railo Lockdown

For my own future reference, here are the steps I used to lock down an Amazon EC2 instance running the Railo image:

  1. SSH in as the ubuntu user. It should use your existing Amazon key pair. If it doesn’t, go read up on how EC2 works.

  2. Create a new user account and add the user to the admin group:

    sudo adduser fred
    sudo adduser fred admin
  3. Copy your SSH key over to the new user:

    sudo mkdir -p /home/fred/.ssh
    sudo cp ~/.ssh/authorized_keys /home/fred/.ssh/
    sudo chown -R fred:fred /home/fred/.ssh
    sudo chmod -R 0700 /home/fred/.ssh
  4. Add your new user to /etc/sudoers.

    export EDITOR=nano && sudo -E visudo
    fred ALL=(ALL) ALL
  5. Logout. SSH back in as your new user.

  6. Remove the Railo admin password and restart Railo:

    sudo perl -p -i.bak -e 's/password=".+?"/password=""/g' /opt/railo/lib/railo-server/context/railo-server.xml
    /etc/init.d/railo_ctl restart
  7. Reset your Railo Server password at http://./railo-context/admin/server.cfm. Set up a default password and reset all of the web context passwords.

  8. Change the Mango admin password by logging into http://./admin with admin/railo4all. Create a new user account with your own name while you are in there.

  9. Reset your mySQL password (current is railo4all) and make a new user:

    mysql -u root -p mysql
    update user set password=password('newpassword') where user = 'root';
    create user 'railo'@'' identified by 'newpassword';
    grant select, insert, update, delete, alter, index, drop, create on mango.* to 'railo'@'';
    flush privileges;

    If you aren’t using ORM, your grant statement can be reduced to the first 4 CRUD operations.

  10. Go into your Railo Web Admin at http://./railo-context/admin/web.cfm and change the Mango datasource to use user railo and the new password. Lock down permissions appropriately.

  11. Set up Git, and make a repo to cover your web root:

    sudo apt-get install -y git-core
    mkdir -p ~/git/www.git
    cd ~/git/www.git
    git init --bare
    git config core.bare false
    git config core.worktree /var/www
    git config receive.denycurrentbranch ignore
    sudo chown -R fred:fred /var/www
    cat > /var/www/.gitignore
    git add /var/www
    git commit -m 'Created repo'
    cat > hooks/post-update
        GIT_WORK_TREE=/var/www GIT_DIR=/home/fred/git/www.git git checkout -q -f
    chmod +x hooks/post-update

    You should now be able to clone this repo with something like fred@host:git/www.git. Committing and pushing to Git checks out the files to your web root, so you never need to transfer anything manually unless it’s too big to put in Git.

  12. Fix SES URLs in Apache+Tomcat. You’ll need to edit /etc/apache2/apache2.conf to include a /*.cfm/* rule.