Posted on 2 Comments

Connect to Azure resources with Managed Identity – Azure Web app container example

Managed identity is the recommended way to go when you need to access resources on Azure as they eliminate the need for developers having to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.

An administrator can locate the managed identity of the resource usually under Settings tab.

When you enable the system assigned identity an object (principal ID) will be created. This is the entity that Azure uses in order to reference this resource when you assign permissions through IAM.

We will examine now how we can use the managed identity in order to get an access_token that can be used to authenticate with Azure resources. In my scenario I have created a simple container that runs powershell (mcr.microsoft.com/powershell) in order to interact with rest-api calls with the azure apis. In order to do so, I got a console on the container running on the app service through the Development tools section under advanced tools

Using the below UI you can get a console of the container.

All resources that support Azure AD authentication, and thus work with managed identity use oauth access tokens for authorization. This means we first need to get a token before we can access resources.

When managed identity is enabled on a app service a local http endpoint that can provide access tokens will be available on the app service. This local http endpoint can only be reached from code running on the app service.

You can locate the http endpoint along with the secret needed by displaying environmental variables. As I used powershell image I had a command line so I pressed

set

The variables that we need are MSI_ENDPOINT which is the same as IDENTITY_ENDPOINT and MSI_SECRET. Using those two variables we can get an access_token and use this token in order to authenticate to azure resources.

In order to interact with the API I used curl. The request URL that should be created is a concatenation of MSI_ENDPOINT and the specific resource category that you want to use (see appendix at the bottom of the article). You should also use the secret inside App service as a header.

Example

curl MSI_ENDPOINT?resource=https://management.azure.com&api-version=2017-09-1 -H "Secret: MSI_SECRET" -v

Using curl we can Identify that the requested has a 200 response code and has been performed correctly.

In order to get the output of the curl command you can use -o argument.

By saving the file as kati.txt we can verify that the access_token is saved on the file under a JSON structure.

Lets now examine how we can perform the same request using powershell. First of all we should navigate in the folder on which powershell is located and execute powershell.exe.

cd windows\system32\windowspowershell\v1.0
powershell.exe

Then we can use Invoke-WebRequest to perform an HTTP call on the same url that we described above.

$kati = Invoke-WebRequest -Uri $env:MSI_ENDPOINT"?resource=https://management.azure.com&api-version=2017-09-01" -Headers @{Secret=$env:MSI_SECRET} -UseBasicParsing | ConvertFrom-Json

You can then use the $kati.access_token in order to Authenticate your Azure API calls.

Azure Resource Manager

https://management.azure.com/
Use this when you want to manage resources. I.e. create, delete, update Azure resources. This is when you would do stuff programmatically that you would otherwise do using Azure CLI or in the portal.

Resources supporting managed identity

If you want to interact with one of the APIs for a specific type of service use the following URIs for the resource parameter.
Keyvault: https://vault.azure.net
Datalake: https://datalake.azure.net/
Azure SQL: https://database.windows.net/
Eventhub: https://eventhubs.azure.net
Service Bus: https://servicebus.azure.net
Storage blobs and queues: https://storage.azure.com/

Links:

Azure Services with managed identities support – Azure AD – Microsoft Entra | Microsoft Docs

References:

Co authored with Giannis Anastasiou @ Vivawallet

Posted on 1 Comment

The ultimate Guide of Security – Infrastructure Web application Hardening

This guide is written in order to help the IT Security Administrators secure their Infrastructure (VM in the cloud or something equivalent) that host web applications. It encloses knowledge that has been gained from multiple penetrations test from different vendors in projects that I have participated. It cannot protect you 100% but is a good and detailed way to start your security hardening.

Table of contents:

  • OS patching
  • Strong passwords and permissions
  • SSL Certificate
  • Install fail2ban
  • Set up firewall
  • Limit ssh access
  • PHP Hardening
  • Apache Hardening

OS patching:
Keep always your OS ( Red Hat Linux or equivalent) up to date with the latest security updates and patches. As a result before starting your installations perform an OS update. It is very important also to keep your Apache and PHP packages patched.

Strong passwords and permissions:
Create strong passwords for your users and add users with separate directories and permissions. Each user should have its own directory to manipulate files and should not have root access. For example if user X should be the application owner, then he should have permissions only to write/upload files in /var/www/application folder and no root permissions.

SSL Certificate:
Install a valid SSL Certificate and redirect all http traffic to https. You can view my blog post on how to install your apache SSL certificate from here. Redirection can be implemented by adding the appropriate rule in your .htaccess file.

Install fail2ban:
Fail2Ban scans log files like /var/log/auth.log and bans IP addresses conducting too many failed login attempts. You can find it from Github and configure it appropriately.

Set up firewall:
You should consider enabling a firewall for your infrastructure like Cloudflare that enables WAF/DDOS protection actions. You could also enable the build in Linux firewall and set up rules through iptables.

Limit ssh access:
Limit IP addresses that could access your infrastructure server. You could do that by disabling all from /etc/hosts.deny and allow only the IP addresses that you will use in /etc/hosts.allow . As a result you should

/etc/hosts.deny:
sshd : ALL

/etc/hosts.allow:
sshd : YOUR_IPS/24

PHP Hardening:
open_basedir, if set, limits all file operations to the defined directory and below. When a script tries to access the filesystem for example using fsockopen() the location of the file is checked. If the file is outside the defined directory PHP will refuse access.
Set openbasedir to your site directory. For example if your web application is a drupal installed in the directory /var/www/drupal then your openbasedir should be set to include your app directory and every other directory that you want (see below example).

open_basedir = "/home/X/:/var/www/drupal/:/tmp/"

Also you should consider disabling some php functions for security reasons like the below.

disable_functions = phpinfo,exec,shell_exec,passthru,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source,proc_close,symlink,apache_getenv,apache_get_modules,apache_get_version,apache_lookup_uri,apache_note,apache_request_headers,apache_reset_timeout,apache_response_headers,apache_setenv,closelog,curl_exec,curl_multi_exec,debugger_off,debugger_on,define_syslog_var,define_syslog_variables,diskfreespace,disk_free_space,dl,escapeshellarg,escapeshellcmd,exec,ftok,ftp_connect,ftp_exec,ftp_get,ftp_login,ftp_nb_fput,ftp_put,ftp_raw,ftp_rawlist,getmypid,getmyuid,highlight_file,ignore_user_abord,ini_alter,ini_get_all,ini_restore,leak,limit,link,listen,mysql_list_dbs,openlog,parse_ini_file,passthru,pclose,pcntl_exec,pg_host,php_uname,popen,posix_access,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix_getpwnam,posix_getpwuid,posix_getrlimit,posix_getsid,posix_getuid,posix_isatty,posix_kill,posix_mkfifo,posix_mknod,posix_setegid,posix_seteuid,posix_setgid,posix_setp,posix_setpgid,posix_setsid,posix_setuid,posix_times,posix_ttyname,posix_uname,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,readfile,readlink,safe_dir,satty,scandir,set_time,set_time_limit,shell_exec,show_source,socket_accept,socket_bind,socket_clear_error,socket_close,socket_connect,source,symlink,syslog,system,tmpfile,virtual

Disable allow_url_include and allow_url_fopen

allow_url_fopen=Off
allow_url_include=Off

The previous described actions should be applied on /etc/php.ini file.

Some of them may disable your web application behavior so you should check if you need them.

Apache Hardening:


Disable content or MIME sniffing:

Header set X-Content-Type-Options: "nosniff"

Defense from Clickjacking attack:

Header set X-Frame-Options: "sameorigin"

Set Strict-Transport-Security header settings configured for a timespan of 2 years:

Header set Strict-Transport-Security "max-age=63072000; includeSubDomains;"

Add X-XSS-Protection header to prevent some level of XSS:

Header set X-XSS-Protection "1; mode=block"

Add Referrer-Policy header to your webserver:

Header always set Referrer-Policy "same-origin"

Deny TRACE/TRACK requests:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Hide Apache Information:

ServerSignature Off
ServerTokens Prod

Of course there are a lot more things that could be applied for your infrastructure hardening per case. The system Administrator should always be up to date with the security standards and discoveries in order to eliminate risks from malicious unauthorized access.

Posted on Leave a comment

How to center UL with CSS – HTML

Ever wondered how to center a ul with css in a html page ?

<HTML>
<head>

<link rel="stylesheet" type="text/css" href="style.css" />
</head>

<body>

<div id="center">
<ul>
<li>HTML</li>
<li>CSS</li>
<li>JAVASCRIPT</li>
</ul>
</div>

</body>

</html>
ul li 
{
	display: inline;

}

li
{
	color: black;
	font-weight: bold;
	font-size: 30px;
}
#center
{
	text-align: center;
}

And the result

Capture