Monday, September 19, 2016

fail2ban: Protecting Servers

Generally recommending security measures is considered as the work of Application and Network Security team. But with introduction of DevOps and change in culture, everyone can contribute to it.

I usually recommend teams to embed these security tools into the development practices to ensure better end results. Coz if used properly tools like these help in maintaining better code quality and keeping infrastructure protected.

Few Open Source tools:
YASCA: http://www.scovetta.com/yasca.html
PMD: https://pmd.github.io/
SNORT: https://www.snort.org/
Fail2Ban: http://www.fail2ban.org/wiki/index.php/Main_Page

Let me explain more with an example:
With expanding infrastructure, we need tools to keep any on malicious attempts and take appropriate actions against them.
I use Fail2ban for this, which is one of the best Open Source tool available for this purpose.
How it works? Fail2ban can monitor logs/files based on defined patterns and take action when match exceeds the threshold.
Example: Pattern defined: <HOST> - - .*/create-account.html .*
Threshold Definition:
  • Take action if finds 20 connections within 20 seconds from one IP.
  • Blocks it for 1800 seconds. - Can be set to any other number or forever.
Actions: Actions like blocking IP via iptables, denying host via hosts.deny file, sending email notification, etc can be triggered once IPs/Users are caught for malicious activities.
Conclusion
Reach out to people who know about security tools and can help you setup these. Leave the rest to the tools to do their duty, small effort from every team member will help in making internet world more secure.

Important links:
Fail2ban Installation instructions: http://www.fail2ban.org/wiki/index.php/MANUAL_0_8
More Security Tools: https://www.owasp.org/index.php/Tools

Sample Configurations:
jail.conf:
[apache-custom-rule]
enabled  = true
action   = iptables-multiport[name=qa, port="http,https"]
filter   = apache-custom-rule
logpath  = /var/log/apache/access.log
maxretry = 20
findtime = 20
iptables-multiport.conf:
actionban = iptables -t nat -A PREROUTING -p tcp -s <ip> --dport 80 -j DNAT --to <Your Private IP>:80
                iptables -t nat -A PREROUTING -p tcp -s <ip> --dport 443 -j DNAT --to <Your Private IP>:443
actionunban = iptables -t nat -D PREROUTING -p tcp -s <ip> --dport 80 -j DNAT --to <Your Private IP>:80
                iptables -t nat -D PREROUTING -p tcp -s <ip> --dport 443 -j DNAT --to <Your Private IP>:443
apache-custom-rule:
failregex = <HOST> - - .*/accounts/u .*
                  <HOST> - - .* 403 .*

Sunday, December 1, 2013

What the "F" is DevOps?

Recently Attended "DevOps Days India" here in Bangalore. Those two days with people who either are in DevOps role OR want to adopt it, forced me to rethink: "What the F is DevOps?"

A little background first
This two day conference had lot of stuff, but to me it missed the basic concept of DevOps days. And was the introduction to DevOps.
To fill that gap I proposed the same topic for "Open House/Session" and to my surprise lot of people voted to discuss that :-)

During the Discussion
Lot of people gave their opinion about this, some of them were:
  • DevOps means Developer + Operations. It doesn't contain QA else it should be QAOps.
  • It is a Developer who knows Ops (specifically system administration).
  • It is an Ops guy who knows about Development.
  • The guy who builds and deploys.
  • The guy who sets up tools for daily use.

My Idea about DevOps
DevOps originated from two words: Development (not Developer) and Operations (not sys admin or similar)
Here Development includes any activity done to build the product/service (including QA) and Operations consists of all the activities included to keep it up & making money out of it.

So in my opinion DevOps is all about solving issues, resolving blame games and bridging gaps between teams.

So In short it is not a guy or a team and definitely not a tool.
DevOps is a philosophy that anyone in the team can implement. It is about solving any issue using: Processes, Tools or People. It is also about solving the issue for good (not just for now).

Few example would be:
Issue: Bugs are caught later in the SDLC
Solution: Introduce CI and SCM tools to get results faster. Introduce Agile process make people react faster incase of issue.
Type: Solved issue with Tools and process.

Issue: Teams have no idea about the other teams work.
Solution: Get the team working on Collaborative development. Get them to work together (may be in a single room) on a periodic basis. Conduct brown bag sessions etc.
Type: Solved issue with people and bridging gaps between them.

Issue: Who owns the build failure?
Solution: CI tool send the email based on the failure. Example: If the build fails while compiling or test cases fail then the culprit's email goes to developer, but incase the test case have issue in running then QA gets the culprit's email.
Type: Solving blame game.

Then who is a DevOps guy?
I don't believe in such a role, but still it is a guy who has experience with solving issues. Who can look at a problem like a consultant and give a solution without being getting stuck in the problem itself.
So in generalised term:
DevOps guy is the person responsible for implementing the DevOps Philosophy across the Organisation.

Tuesday, August 21, 2012

Continuous Delivery WhitePaper


Continuous Delivery in a Nut Shell




Whatever may be the type or size of the industry, transformation is the key to improvement. Continuous Delivery (aka CD) is emerging as the front runner in the race of transforming IT business from “Slow Delivery” to “Quick and Reliable Delivery”. In combination with right Agile methodology, CD is helping companies to reduce time from planning to production and hence allowing them to earn cash for their product/services faster and with better margins.

What’s in it for Me?
CD has something for everyone in different teams, product, companies or domains. For engineers in any domain (from textile to Software) it means to automate production plan and shipping finished product/services to customer faster and on regular intervals.

CD for Software Development.
From Software Development perspective, CD is divided in 5 components.
#1: Configuration Management. “Single Source Of Truth”
#2: CI and Build Management. “Early and Often”
#3: Testing. “Early, Repeatable and Ever Improving”
#4: IT and Infrastructure Management. “On-Demand and Scalable”
#5: Release Management. Ship Right Release at Right Time”

To set things right CD evolved with 8 basic principles.
Principle #1: The process for releasing/deploying software MUST be repeatable and reliable.
Principle #2: Automate everything possible!
Principle #3: If something is difficult or painful, do it more often.
Principle #4: Keep everything in source control.
Principle #5: Done means “released”.
Principle #6: Build quality in!
Principle #7: Everybody has responsibility for the release process.
Principle #8: Improve continuously.

Summary in a Nut Shell. 




* Special thanks to  David Farley & Jez Humble (as some text of this post is sourced from their book "Continuous Delivery")

Good to be Agile


It's been a long time that I wrote any blog, so now here I am again.
This time I think the best topic to share is working with Agile methodologies.

It's been more than four year now that I have been working with the same. Some initial questions may occur in the mind of the reader of this blog.

Questions like:
- What is actually AGILE?
- How can it make my work better?
- What are it's pros and cons?
- etc. etc.

By definition agile means quickly producing something useful and improving it over a period of time to the best of it's type.
But quick doesn't means to forget the real iterations required for the process.

I will put an example here:
Suppose you are developing a software, under waterfall model we start coding finish the project over a period of time and pass it to the customers.
But in agile we start coding get some thing usable (something like a prototype) pass it to the customers, then start improving it (taking help from customer's feedback). This ends up in a better end product as it includes customers feedback also. And a software which has passed phases like creating prototype, testing, retrofitting etc. (real time iterations), is of greater value to the customer.

There are various Agile methods, our need defines as which one will suit us the best. Example:
KANBAN:  A method for developing products and processes with an emphasis on just-in-time delivery (using KAN="Visual" BAN="Board" technique) while not overloading the developers. With proper use of Kanban, projects are able to eliminate bottlenecks from any part of development cycle.

SCRUM: It is an iterative and incremental development process, where effort is tracked by burndown charts (each sprint) and Velocity tracking (over many sprints). These metrics help in better, predictable sprint planning and hence delivering happy faces.

In the Soup


As trying to consolidate all my accounts under one roof, I tried migrating my blogs from Yahoo ID to Gmail ID.
But what a mess, I could only migrate the posts and not the profile data. I lost data like as "Since when I have been blogging" etc.

Hoping to get such feature in blogger.com which would allow to change Username OR the User ID without loosing blog stats.