The Azure Container Service

The Azure Container Service (ACS) is a cloud-based container deployment and management service that supports popular open-source tools and technologies for container and container orchestration. ACS allows you to run containers at scale in production and manages the underlying infrastructure for you by configuring the appropriate VMs and clusters for you. ACS is orchestrator-agnostic and allows you to use the container orchestration solution that best suits your needs. Learn how to use ACS to scale and orchestrate applications using DC/OS, Docker Swarm, or Kubernetes.

Azure Container Instances let you run a container in Azure without managing virtual machines and without a higher-level service.

How to build container instances

Azure continer instance

How to update certificate to use the SHA-2 hashing algorithm

Followed by National Institute of Standards and Technology (NIST) recommendations certificates encrypted with the Secure Hash Algorithm-1 (SHA-1) algorithm will stop supporting after 2017.Accourding to experts, using the SHA-1 hashing algorithm in digital certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.SHA-1(more than 98%) is currently the most widely used digest algorithm.
Microsoft is announcing a policy change to the Microsoft Root Certificate Program and Windows will stop accepting SHA-1 end-entity certificates by January 1, 2017, and will stop accepting SHA-1 code signing certificates without timestamps after January 1, 2016.

Google Chrome has started warning end users when they connect to a secure website using SSL certificates encrypted with the SHA-1 algorithm (read google blog http://googleonlinesecurity.blogspot.in/2014/09/gradually-sunsetting-sha-1.html).

Read more how to do

How to update certificate to use the SHA

Google Authenticator

Google Authenticator is an application that implements Time-based One-time Password Algorithm (TOTP) security tokens in mobile apps made by Google.The Authenticator can also generate codes for third-party applications or file hosting services.Previous versions of the software were open source but subsequent releases are proprietary.

Working
The service provider generates an 80-bit secret key for each user (in contravention of RFC 4226 §4[33]). This is provided as a 16, 24 or 32 character base32 string or as a QR code. The client creates an HMAC-SHA1 using this secret key.
users will install the Authenticator app on their smartphone to log into a site or service that uses two-factor authentication, they provide user name and password to the site and run the Authenticator app which produces an additional six-digit one-time password. The user provides this to the site, the site checks it for correctness and authenticates the user.

How to two-step authentication is enabled for your Google account

1.Make sure that two-step authentication is enabled and configured for your account.
2.Download and install the app on your Android device or on your iPhone, iPad or iPod Touch
3.Login to your Google account at http://accounts.google.com. Choose “Security” from the left-side menu, then look for “2-step verification” and click “Edit”. You may need to login again.
Connect your Google Authenticator app to your Google account by following the prompts after “How to Connect” a Mobile Application.

Setting up for google applications.

Setting up OTP for  WordPress

Install Google Authenticator
https://support.google.com/accounts/answer/1066447?hl=en

How to Browser Default Language changing

Below documents shows how to change default language in Internet Explorer,Mozilla and Chrome.

Browser Default Language changing

Nginx using as load balancer

Basic HTTP server features

Serving static and index files, autoindexing; open file descriptor cache;
Accelerated reverse proxying with caching; simple load balancing and fault tolerance;
Accelerated support with caching of FastCGI, uwsgi, SCGI, and memcached servers; simple load balancing and fault tolerance;
Modular architecture. Filters include gzipping, byte ranges, chunked responses, XSLT, SSI, and image transformation filter. Multiple SSI inclusions within a single page can be processed in parallel if they are handled by proxied or FastCGI/uwsgi/SCGI servers;
SSL and TLS SNI support.
Other HTTP server features

Name-based and IP-based virtual servers;
Keep-alive and pipelined connections support;
Flexible configuration;
Reconfiguration and upgrade of an executable without interruption of the client servicing;
Access log formats, buffered log writing, fast log rotation, and syslog logging;
3xx-5xx error codes redirection;
The rewrite module: URI changing using regular expressions;
Executing different functions depending on the client address;
Access control based on client IP address, by password (HTTP Basic authentication) and by the result of subrequest;
Validation of HTTP referer;
The PUT, DELETE, MKCOL, COPY, and MOVE methods;
FLV and MP4 streaming;
Response rate limiting;
Limiting the number of simultaneous connections or requests coming from one address;
Embedded Perl.

Load balancing methods

The following load balancing mechanisms (or methods) are supported in nginx:

round-robin — requests to the application servers are distributed in a round-robin fashion,
least-connected — next request is assigned to the server with the least number of active connections,
ip-hash — a hash-function is used to determine what server should be selected for the next request (based on the client’s IP address).
Default load balancing configuration

The simplest configuration for load balancing with nginx may look like the following:

http {
upstream myapp1 {
server srv1.example.com;
server srv2.example.com;
server srv3.example.com;
}

server {
listen 80;

location / {
proxy_pass http://myapp1;
}
}
}
In the example above, there are 3 instances of the same application running on srv1-srv3. When the load balancing method is not specifically configured, it defaults to round-robin. All requests are proxied to the server group myapp1, and nginx applies HTTP load balancing to distribute the requests.

Reverse proxy implementation in nginx includes load balancing for HTTP, HTTPS, FastCGI, uwsgi, SCGI, and memcached.

To configure load balancing for HTTPS instead of HTTP, just use “https” as the protocol.

When setting up load balancing for FastCGI, uwsgi, SCGI, or memcached, use fastcgi_pass, uwsgi_pass, scgi_pass, and memcached_pass directives respectively.

Least connected load balancing

Another load balancing discipline is least-connected. Least-connected allows controlling the load on application instances more fairly in a situation when some of the requests take longer to complete.

With the least-connected load balancing, nginx will try not to overload a busy application server with excessive requests, distributing the new requests to a less busy server instead.

Least-connected load balancing in nginx is activated when the least_conn directive is used as part of the server group configuration:

upstream myapp1 {
least_conn;
server srv1.example.com;
server srv2.example.com;
server srv3.example.com;
}
Session persistence

Please note that with round-robin or least-connected load balancing, each subsequent client’s request can be potentially distributed to a different server. There is no guarantee that the same client will be always directed to the same server.

If there is the need to tie a client to a particular application server — in other words, make the client’s session “sticky” or “persistent” in terms of always trying to select a particular server — the ip-hash load balancing mechanism can be used.

With ip-hash, the client’s IP address is used as a hashing key to determine what server in a server group should be selected for the client’s requests. This method ensures that the requests from the same client will always be directed to the same server except when this server is unavailable.

To configure ip-hash load balancing, just add the ip_hash directive to the server (upstream) group configuration:

upstream myapp1 {
ip_hash;
server srv1.example.com;
server srv2.example.com;
server srv3.example.com;
}

Weighted load balancing

It is also possible to influence nginx load balancing algorithms even further by using server weights.

In the examples above, the server weights are not configured which means that all specified servers are treated as equally qualified for a particular load balancing method.

With the round-robin in particular it also means a more or less equal distribution of requests across the servers — provided there are enough requests, and when the requests are processed in a uniform manner and completed fast enough.

When the weight parameter is specified for a server, the weight is accounted as part of the load balancing decision.

upstream myapp1 {
server srv1.example.com weight=3;
server srv2.example.com;
server srv3.example.com;
}

With this configuration, every 5 new requests will be distributed across the application instances as the following: 3 requests will be directed to srv1, one request will go to srv2, and another one — to srv3.

It is similarly possible to use weights with the least-connected and ip-hash load balancing in the recent versions of nginx.

Health checks

Reverse proxy implementation in nginx includes in-band (or passive) server health checks. If the response from a particular server fails with an error, nginx will mark this server as failed, and will try to avoid selecting this server for subsequent inbound requests for a while.

The max_fails directive sets the number of consecutive unsuccessful attempts to communicate with the server that should happen during fail_timeout. By default, max_fails is set to 1. When it is set to 0, health checks are disabled for this server. The fail_timeout parameter also defines how long the server will be marked as failed. After fail_timeout interval following the server failure, nginx will start to gracefully probe the server with the live client’s requests. If the probes have been successful, the server is marked as a live one.

Other posts

Installing and configuring HA Proxy on Ubuntu

SquidNT proxy

NginX

nginx [engine x] is an HTTP and reverse proxy server, as well as a mail proxy server, written by Igor Sysoev. According to Netcraft, nginx served or proxied 21.21% busiest sites in February 2015.Netflix, WordPress.com, FastMailare used by ngix for eg.

Apache powers more websites,because it has been available for so many years and Microsoft IIS is in next place.Using apache slows down under heavy load, because of the need to spawn new processes,it also creates new threads that must compete with others for access to memory and CPU.

Installation and configurations

nginx

TMG2010-End Of Life

Microsoft discontinued(EOL-End Of Life)Forefront TMG 2010 product.Thismeans

there will not be another new version of TMG in the future, and there will be

no more feature enhancements made to TMG (only security updates and bug

fixes),But announced will continue to provide mainstream support for TMG until

April 14, 2015, and extended support until April 14, 2020. The Forefront TMG

2010 Web Protection Services (WPS) will be discontinued on December 31, 2015.

Beginning on January 1, 2016, Web Protection Services (URL filtering,

virus/malicious software scanning, and Network Inspection System) will

continue to function but will no longer receive updates.

This is the time to think to considering a replacement for your Forefront TMG

2010 firewall deployed your network.

AS per Richard Hicks from Celestix networks,Microsoft OEM partner They also

stated that they would discontinue selling TMG later that year.
(http://www.celestix.com/best-forefront-tmg-2010-replacement-forefront-tmg-

2010/)

There is no reason reported from Microsoft,but seems to be Forefront TMG 2010

cannot be installed on the latest release of the Windows Server operating

system(windows 2012).Supported OS is(recommended os by Microsoft is Windows

Server 2008 R2 which is not as secure as Windows Server 2012 R2.Also, not

possible to install Forfront on Windows Server core

(http://technet.microsoft.com/en-in/library/dd896981.aspx).

Medium to large enterprise want more than the basic protection capabilities

and not likely to rely on Windows Defender (or Microsoft Security Essentials).
Read Microsoft official annoncement of product lifecycle.
http://support2.microsoft.com/lifecycle/search/default.aspx?

sort=PN&alpha=Forefront&Filter=FilterNO

So,what is the replacement for TMG used places

Replacing TMG with UTM
F5

Click to access f5-tmg-replacement-dg.pdf

Barracuda
https://www.barracuda.com/tmg
Celestix MSA
http://www.celestix.com/products/msa/
Netscalar
https://www.citrix.com/content/dam/citrix/en_us/documents/products-

solutions/netscaler-a-comprehensive-replacement-for-microsoft-forefront-

threat-management-gateway.pdf
watchguard
http://www.watchguard.com/
Fortinet
http://www.fortinet.com/

softwares
Web cache/accelerator/filter/proxy:Sqiud/varnish/Nginx

Microsoft Forefront Threat Management Gateway (TMG) 2010

Forefront TMG is a comprehensive secure web gateway solution that helps to

protect users from web-based threats(a proxy server, a firewall, a web content

filtering, a VPN Server,intrusion prevention,malware inspection etc).This is

revised version of Microsoft Internet Security and Acceleration Server (ISA

Server)of windows 2008(http://msdn.microsoft.com/en-us/security/aa570369.aspx)

What’s new in Forefront TMG 2010 SP2
http://technet.microsoft.com/en-US/library/hh301099.aspx

For making your system as TMG, you required 2 Network card ,one is LAN

(internal networks)and a WAN(Internet)

System requirements for Forefront TMG
http://technet.microsoft.com/en-us/library/dd896981.aspx

Installations are usual by clicking next and finish.

Installation design guide for Forefront TMG
http://technet.microsoft.com/en-us/library/dd896984.aspx

There is a step by step guide from

Installation of Forefront TMG 2010 Standard Edition

HTTP and HTTPS rule

By default all access rules are denied. You need to Create web access rules

for internal networks allowing HTTP and HTTPs traffic pass through from

internal network to external and perimeter. Also allow HTTP and HTTPs traffic

pass through from perimeter to external and internal.

Click Firewall Policy>Click Create Access Rule on Task Pan.

References
Installing Forefront TMG on a domain controller
http://technet.microsoft.com/en-us/library/ff808305.aspx

Configuring networks and routing
http://technet.microsoft.com/en-us/library/dd440997.aspx

Configuring roles and permissions
http://technet.microsoft.com/en-us/library/dd441007.aspx

Configuring client computers
http://technet.microsoft.com/en-us/library/cc441532.aspx

Configuring client authentication servers
http://technet.microsoft.com/en-us/library/cc441510.aspx

Configuring Network Access Protection
http://technet.microsoft.com/en-us/library/dd440978.aspx

POODLE Attack

Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered

this SSL(Secure Socket Layer) vulnerability in September 2014.The POODLE

(Padding Oracle On Downgraded Legacy Encryption) attack are not serious as the

Heartbleed and Shellshock attacks.On December 8, 2014 a variation of the

POODLE vulnerability that impacted TLS was announced.
The CVE ID’s(CVE-2014-3566 and CVE-2014-8730) associated with the original

POODLE attack and F5 Networks’ faulty implementation of TLS that allows

POODLE.

There is currently no fix for the vulnerability SSL 3.0.To mitigate the POODLE

attack,completely disable SSL 3.0 on the Server and client side.But, some old

clients and servers do not support TLS 1.0 and above. Thus,for such clients

browser and server better to implement TLS_FALLBACK_SCSV.

https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00

Browser enabled
===============
Opera 25 has implemented this mitigation in addition to TLS_FALLBACK_SCSV.
Chrome 39,already support TLS_FALLBACK_SCSV.
Mozilla has disabled SSL 3.0 in Firefox 34 and ESR 31.3, which were released

in December 2014, and will add support of TLS_FALLBACK_SCSV in Firefox 35.
Microsoft announced the plan to disable SSL 3.0 by default in their products

and services and a fix for to disable SSL 3.0 in Internet Explorer and Windows

OS.
Apple’s Safari (on OS X 10.8, iOS 8.1 and later) has been mitigated against

POODLE by removing support for all CBC protocols in SSL 3.0.

Service providers status
————————
OpenSSL has added support for TLS_FALLBACK_SCSV to their latest versions and

recommend the following upgrades
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.OpenSSL 0.9.8 users should

upgrade to 0.9.8zc.

Both clients and servers need to support TLS_FALLBACK_SCSV to prevent

downgrade attacks

Akamai, a popular CDN, has accelerated its deprecation of SSL 3.0.
CloudFlare has disabled SSL 3.0 support by default for all customers.
Twitter and Wikimedia have dropped support of SSL 3.0 to prevent the POODLE

attack.

Click to access ssl-poodle.pdf

http://www.symantec.com/connect/blogs/ssl-30-vulnerability-poodle-bug-aka-

poodlebleed

How to check your server&client
===============================
Web site test
https://www.ssllabs.com/ssltest/

Client test
https://www.ssllabs.com/ssltest/viewMyClient.html

Resolutions for Server and Clients
==================================

Disable in Microsoft Server
—————————
Microsoft OS registry disable for SSL
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders

\SCHANNEL\Protocols\SSL 3.0\Server
On the Edit menu, click Add Value.
In the Data Type list, click DWORD.
In the Value Name box, type Enabled, and then click OK.
Type 00000000 in Binary Editor to set the value of the new key equal to “0”

and restart.

CVE-2014-3566 – KB3009008
https://technet.microsoft.com/en-us/library/security/3009008.aspx

How to disable SSLv3 in Apache?
——————————-
Include “SSLProtocol all -SSLv2 -SSLv3 ” within every VirtualHost in

httpd.conf of version 2.2.23

<VirtualHost your.website.example.com:443>
DocumentRoot /var/www/directory
ServerName your.website.example.com

…
SSLEngine on
…
SSLProtocol all -SSLv2 -SSLv3
…
</VirtualHost>

Note : if there is separeate ssl configuration like Ubuntu 10.04
/etc/apache2/mods-available/ssl.conf :
SSLProtocol all -SSLv2 -SSLv3

For httpd version 2.2.22 and older, only specify TLSv1. This is treated as a

wildcard for all TLS versions.

SSLProtocol TLSv1

For Apache + mod_nss, edit /etc/httpd/conf.d/nss.conf to allow only TLS 1.0+.

NSSProtocol TLSv1.0,TLSv1.1

Apache Tomcat Web server
————————
Tomcat 5

Configured via $TOMCAT_HOME/conf/server.xml

<Connector
protocol=”org.apache.coyote.http11.Http11AprProtocol”
port=”8443″ maxThreads=”200″
SSLEnabled=”true” scheme=”https” secure=”true”
SSLCertificateFile=”/usr/local/ssl/server.crt”
SSLCertificateKeyFile=”/usr/local/ssl/server.pem”
clientAuth=”false” sslProtocols = “TLSv1,TLSv1.1,TLSv1.2″ />

Tomcat 6,7

<Connector
protocol=”org.apache.coyote.http11.Http11AprProtocol”
port=”8443″ maxThreads=”200″
SSLEnabled=”true” scheme=”https” secure=”true”
SSLCertificateFile=”/usr/local/ssl/server.crt”
SSLCertificateKeyFile=”/usr/local/ssl/server.pem”
clientAuth=”false” sslEnabledProtocols = “TLSv1,TLSv1.1,TLSv1.2” />

Lighthttpd
————
For Lighttpd 1.4.28+, edit /etc/lighttpd/lighttpd.conf

ssl.use-sslv2 = “disable”

ssl.use-sslv3 = “disable”

Postfix SMTP
————-
Modify the smtpd_tls_mandatory_protocols configuration line.

smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3

Sendmail
———
Modify the LOCAL_CONFIG section of the sendmail.mc file.

CipherList=HIGH

ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

+SSL_OP_CIPHER_SERVER_PREFERENCE

ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

Dovecot
——–
For Dovecot 2.1+, edit /etc/dovecot/local.conf to add the below lines and then

restart Dovecot.

ssl_protocols = !SSLv2 !SSLv3

For Dovecot 2, edit /etc/dovecot/conf.d/10-ssl.conf to add the below lines and

then restart Dovecot.

ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL

Courier-imap
————-
For Ubuntu 12.04, edit /etc/courier/imapd-ssl.

IMAPDSSLSTART=NO

IMAPDSTARTTLS=YES

IMAP_TLS_REQUIRED=1

TLS_PROTOCOL=TLS1

TLS_STARTTLS_PROTOCOL=TLS1

HAProxy Server
—————-
Edit the bind line in your /etc/haproxy.cfb file.

bind :443 ssl crt  ciphers  no-sslv3

Nginx
—–
Modify the ssl_protocols directive to only use TLSv1, TLSv1.1, and TLSv1.2. If

you do not have a ssl_protocols directive, add it to the top of your

configuration file.

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

389 Directory Server
——————–
Modify cn=encryption,cn=configA and restart the server.

ldapmodify -x -D “cn=Directory Manager” -W <<EOF

dn: cn=encryption,cn=config

changetype: modify

replace: nsSSL3

nsSSL3: off

Enabling on Browser Settings
—————————-
Chrome:
right click on shortcu and go to properties,and go to end “C:\Program Files

\Google\Chrome\Application\chrome.exe” add type ––ssl-version-min=tls1

IE:
Click on the Settings and then Internet options,advanced tab then security

section,un check SSL and check TLS

Firefox:
download and install the SSL Version Control 0.2 add-on from

https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/
Alternatively, you can set the value security.tls.version.min = 1 in the

about:config dialog.

Safari:
Apple has released Security Update 2014-005, which disables CBC-mode ciphers

in coordination with SSLv3.

Mac OS Mavericks: http://support.apple.com/kb/DL1772
MAC OS Mountain Lion: http://support.apple.com/kb/DL1771
MAC OS Yosemite: https://support.apple.com/kb/HT6535

Hardware providers
==================
F5 Networks
———–
https://support.f5.com/kb/en-us/solutions/public/15000/800/sol15882.html

A10 Networks
————
https://www.a10networks.com/vadc/index.php/cve-2014-3566-from-beast-to-

poodle-or-dancing-with-beast/

Cisco Networks
—————
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-

sa-20141015-poodle
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_Poodle_10152014

.html

Juniper Networks
—————–
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10656&actp=RSS

Note:POODLE attack against TLS
A new variant of the original POODLE attack was announced on December 8, 2014.

This attack exploits implementation flaws of CBC mode ciphers in the TLS 1.0 –

1.2 protocols. Even though TLS specifications require servers to check the

padding, some implementations fail to validate it properly, which makes some

servers vulnerable to POODLE even if they disable SSL 3.0. SSL Pulse showed

“about 10% of the servers are vulnerable to the POODLE attack against TLS”

before this vulnerability is announced. The CVE ID for F5 Networks’

implementation bug is CVE-2014-8730. The entry in NIST’s NVD states that this

CVE ID is to be used only for F5 Networks’ implementation of TLS, and that

other vendors whose products have the same failure to validate the padding

mistake in their implementations like A10 Networks and Cisco Systems need to

issue their own CVE ID’s for their implementation errors because this is not a

flaw in the protocol itself and is a flaw in the protocol’s implementation.

The POODLE attack against TLS was found to be easier to initiate than the

initial POODLE attack against SSL. There is no need to downgrade clients to

SSL 3.0, requiring less real-world scenarios to appear active.

Openssl cert generation

Generate a Private Key
———————-
This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text.

openssl genrsa -des3 -out server.key 1024

Generate a CSR (Certificate Signing Request)
——————————————–
These are the X.509 attributes of the certificate.

openssl req -new -key server.key -out server.csr

Remove Passphrase from Key
————————–
One unfortunate side-effect of the pass-phrased private key is that Apache will ask for the pass-phrase each time the web server is started.

cp server.key server.key.org
openssl rsa -in server.key.org -out server.key

Generating a Self-Signed Certificate
————————————-
To generate a temporary certificate which is good for 365 days

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Installing the Private Key and Certificate
——————————————
cp server.crt /usr/local/apache/conf/ssl.crt
cp server.key /usr/local/apache/conf/ssl.key

If using certificates in Apache then

Configuring SSL Enabled Virtual Hosts
————————————

SSLEngine on
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
SetEnvIf User-Agent “.*MSIE.*” nokeepalive ssl-unclean-shutdown
CustomLog logs/ssl_request_log \
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”

Restart Apache and Test
————————-

/etc/init.d/httpd stop
/etc/init.d/httpd stop