rsync to AWS EC2 Using PEM Key

I ran into a situation today where I needed to have a master EC2 instance sync its files to an array of other EC2 instances. Using SSH and rsync makes this trivial except for one thing, how to connect using the PEM file instead of a username / password combo.

The trick is to pass the PEM file to SSH using the rave parameter:


rsync -rave "ssh -i /path/to/EC2_KEY.pem" /path/to/local/files/* EC2_USER@EC2_INSTANCE:/path/to/remote/files

view raw

sync.sh

hosted with ❤ by GitHub

Other than everything works the same as typical rsync.

Where is Xcode 6.1?

As of this morning the version of Xcode in the Mac App Store is still 6.0.1 and the Xcode downloads page in the developer center says available shortly.

But if you’ve upgraded to Yosemite and are using a package manager such as Homebrew, you’re required to have 6.1. So now what?

Simply head over to the main downloads page in the developer center and grab both Xcode 6.1 and the command line tools.

MySQL 5.5 and 5.6 Vulnerability

Another day, another security vulnerability.

Today Oracle announced security vulnerabilities and associated software patches affecting MySQL 5.5 and 5.6:

http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html#AppendixMSQL

To address these vulnerabilities, your database instances will need to be upgraded to either MySQL 5.5.40 or 5.6.21.

If you’re on a hosted service such as RDS, expect to be upgraded during your next maintenance window. More info can be found on Amazon’s security site.

SSL v3.0 POODLE Vulnerability

A new SSL bug was announced today – CVE-2014-3566 (SSL v3.0 POODLE vulnerability).

This vulnerability affects servers still running SSL 3.0. It centers on cipher block chaining (CBC) encryption implementation and allow attackers with a Man-in-the-Middle (MITM) position to derive the contents of a secure payload based on responses received from requests sent from a compromised browser to a legitimate server.

One way to remedy this issue is to disable SSL 3.0 support or disable SSL 3.0 CBC-mode ciphers on your servers, but this presents significant compatibility problems with older browsers (specifically WindowsXP users who browse using Internet Explorer 6). Instructions on how to disable it on NGINX can be found here.

The other option (recommended by Google among others) is to make use of TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.

Unfortunately TLS_FALLBACK_SCSV is currently a draft extension to SSL/TLS and has not yet been accepted into OpenSSL or made it’s way into major browsers other than Chrome.

You can use GeoTrust’s SSL Tool Box to detect if SSL 3.0 is enabled on a web server.

CVE-2014-6271 – Vulnerability in Bash

There’s a very nasty vulnerability in Bash that allows code execution via remote attackers:

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

To test if you’re vulnerable, simply execute this:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the output includes the word “vulnerable,” then your system is vulnerable.

Amazon will be doing a massive restart of all EC2 instances this weekend (starting Friday and running through Sunday) to patch all affected systems. Managed services including RDS, ElastiCache, and RedShift will also be affected.

Instance types that will NOT be impacted:

  • R3
  • T1
  • T2
  • M2
  • HS1

AWS plans to stage the reboot process so that each region will have only one AZ patched each day. Additionally, AWS states that it will not patch instances in multiple regions at the same time within the same AWS account.

More info here:

https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
https://alas.aws.amazon.com/ALAS-2014-418.html

Google’s Chrome 39 Sunsetting SHA-1

Google has announced that they are sunsetting SHA-1 (as used in certificate signatures for HTTPS) with Chrome 39 in November 2014. SHA-1 root certificates are not affected by this plan.

Most providers are offering free upgrades to SHA-2 certificates so be sure to contact yours to see if you qualify.

More info can be found on Google’s security blog.

HipChat 3.0

HipChat rolled out a huge update to their Mac client today (other platforms will be following soon) that features a number of great changes including a brand new, lightweight UI and so far, I’m really digging it.

I was a big fan of the previous UI over competitors such as Slack and this update makes using HipChat even better.

Some other changes in this update include emoticon autocomplete, unread message counts and new presence icons. You can read all about it on their blog.