VSCode Virtual Environments using your Browser

It’s no secret I’m a huge fan of virtual environments and PowerShell. Late last year I wrote this series on Nested Virtual PowerShell Desktop Environments on Windows 10 & Windows Server 2019 in Azure A lot of the back story for that three post series was to have virtual environments for PowerShell.

Moving forward six months and I’m at the beginning of the journey towards migrating from PowerShell Desktop to PowerShell Core. The quickest way to get started with PowerShell Core is to use the Windows 10 feature of Windows Subsystem for Linux. Of course you should also have made (or be making) the migration from PowerShell ISE to VSCode.

So what if you could have Virtual VSCode environments accessible via a browser as your IDE for building and using PowerShell Core? Well you can.

Here is VSCode running a PowerShell Core command via a browser from a Ubuntu based Windows Subsystem for Linux environment in a Windows 10 Virtual Machine running in Azure.

Powershell Core on Linux on Windows via VSCode in Browser.PNG

Prerequisites

A key component of this magic is Code Server. Code Server is an open source self-contained environment for VSCode designed to offload the IDE from lower powered environments (tablets, Chromebooks etc) and is currently supported on Linux and Mac (OSX) with Windows coming soon.

If you have an environment with either of those then all good, as you were. If you only have Windows then on Windows 10 install Windows Subsystem for Linux via the Microsoft Store App. My Windows System for Linux flavour is Ubuntu.

WSL Ubuntu.PNG

Code Server

Download Code Server from the Github Releases page here and save it to your local machine. Running Ubuntu I downloaded the Linux binary. Untar it using

tar -xf yourDownloadedversion.tar.gz

Untar Code Server

Change into the extracted directory with the code-server executable in and run code-server

./code-server

Take note of the password as you will need this when you connect to Code Server via your browser.

Start Code Server

If the host you are running Code Server is remote (as mine is, in Azure) make sure you have networking configured for the default port (8443). I had to update my NSG for the inbound port of 8443.

Note: this isn’t a normal configuration, allowing source any for incoming ports. I have this locked down to the necessary source IP’s (but I’m not going to show them here).

Inbound Security Rules.PNG

Then in your browser you can hit the your host on port 8443 and provide the password that was displayed when starting Code Server. You will then have VSCode running in essentially a Virtual Environment accessible via a browser.

VSCode running in a Browser

PowerShell Core

My Windows Subsystem for Linux Ubuntu version is currently 18.04 and I already had downloaded and installed PowerShell Core for Ubuntu 18.04

lsb_release -a

Installation Instructions are here

Ubuntu Windows Subsystem for Linux Version.PNG

Install the PowerShell VSCode Extension along with any of the other extensions you regularly use. BOOM, you now have a Virtual VSCode environment for use with PowerShell Core on (and in my case on Ubuntu under Windows 10).

PowerShell VSCode Extension

Summary

What a crazy time to be in the IT industry. Nested disparate operating systems running IDE’s in browsers executing cross-platform scripting languages. Wow.

To run multiple sessions on the same host use the -p (port) command to specify a different port for each instance.

Code Server specifying Port.PNG

Getting started with Ubuntu on Windows (Windows Subsystem for Linux)

This week I was building in Azure a Linux Server (Ubuntu 14). I’d deployed my new Ubuntu Server and I went to connect to it. But I was on a brand new laptop. No tools with SSH installed. Damn. As I was about to go and get my usual windows favorite SSH tools I remembered a session of Build 2017 and Microsoft starting to talk more loudly about Windows Subsystem for Linux. Yes, Ubuntu on Windows, with SUSE and Fedora coming soon. TechCrunch story here.
Now it is still listed as Beta, but the changes appear to coming pretty fast. I figured it should have more than enough for what I needed, and I could hopefully avoid having to install other 3rd party tools and maybe even finally say goodbye to Cygwin. So I dove in, and here is my quick-start guide to get you started.

Prerequisite

Your computer must be running (at a minimum) a 64-bit version of Windows 10 Anniversary Update. OS Build 14393

Installing Windows Subsystem for Linux

To configure your Windows 10 machine to accept WSL go to Windows => Settings and select Update & Security.

Select For developers and enable Developer Mode.

Agree to the warning.

Now open Turn Windows Features on or off and select the checkbox for Windows Subsystem for Linux 

Restart your workstation

After the restart from an elevated command prompt type Bash to attempt to start a Bash Shell. As it is the first time, you will be prompted to install Ubuntu.

Following installation you will be prompted to create a Linux User. This is purely for the Linux environment so does not have anything to do with your Windows Login and Password.

Using SSH from WSL

Now that I have a bash shell on my Windows laptop, lets use SSH to connect to my new Ubuntu Server.

And I’m in. Happy days.

Ubuntu security hardening for the cloud.

Hardening Ubuntu Server Security For Use in the Cloud

The following describes a few simple means of improving Ubuntu Server security for use in the cloud. Many of the optimizations discussed below apply equally to other Linux based distribution although the commands and settings will vary somewhat.

Azure cloud specific recommendations

  1. Use private key and certificate based SSH authentication exclusively and never use passwords.
  2. Never employ common usernames such as root , admin or administrator.
  3. Change the default public SSH port away from 22.

AWS cloud specific recommendations

AWS makes available a small list of recommendation for securing Linux in their cloud security whitepaper.

Ubuntu / Linux specific recommendations

1. Disable the use of all insecure protocols (FTP, Telnet, RSH and HTTP) and replace them with their encrypted counterparts such as sFTP, SSH, SCP and HTTPS

yum erase inetd xinetd ypserv tftp-server telnet-server rsh-server

2. Uninstall all unnecessary packages

dpkg --get-selections | grep -v deinstall
dpkg --get-selections | grep postgres
yum remove packageName

For more information: http://askubuntu.com/questions/17823/how-to-list-all-installed-packages
3. Run the most recent kernel version available for your distribution

For more information: https://wiki.ubuntu.com/Kernel/LTSEnablementStack

4. Disable root SSH shell access
Open the following file…

sudo vim /etc/ssh/sshd_config

… then change the following value to no.

PermitRootLogin yes

For more information: http://askubuntu.com/questions/27559/how-do-i-disable-remote-ssh-login-as-root-from-a-server
5. Grant shell access to as few users as possible and limit their permissions

Limiting shell access is an important means of securing a system. Shell access is inherently dangerous because of the risk of unlawfully privilege escalations as with any operating systems, however stolen credentials are a concern too.
Open the following file…

sudo vim /etc/ssh/sshd_config

… then add an entry for each user to be allowed.

AllowUsers jim,tom,sally

For more information: http://www.cyberciti.biz/faq/howto-limit-what-users-can-log-onto-system-via-ssh/
6. Limit or change the IP addresses SSH listens on
Open the following file…

sudo vim /etc/ssh/sshd_config

… then add the following.

ListenAddress <IP ADDRESS>

For more information:
http://askubuntu.com/questions/82280/how-do-i-get-ssh-to-listen-on-a-new-ip-without-restarting-the-machine
7. Restrict all forms of access to the host by individual IPs or address ranges
TCP wrapper based access lists can be included in the following files.

/etc/hosts.allow
/etc/hosts.deny

Note: Any changes to your hosts.allow and hosts.deny files take immediate effect, no restarts are needed.
Patterns

ALL : 123.12.

Would match all hosts in the 123.12.0.0 network.

ALL : 192.168.0.1/255.255.255.0

An IP address and subnet mask can be used in a rule.

sshd : /etc/sshd.deny

If the client list begins with a slash (/), it is treated as a filename. In the above rule, TCP wrappers looks up the file sshd.deny for all SSH connections.

sshd : ALL EXCEPT 192.168.0.15

This will allow SSH connections from only the machine with IP address 192.168.0.15 and block all other connection attemps. You can use the options allow or deny to allow or restrict access on a per client basis in either of the files.

in.telnetd : 192.168.5.5 : deny
in.telnetd : 192.168.5.6 : allow

Warning: While restricting system shell access by IP address be very careful not to loose access to the system by locking the administrative user out!
For more information: https://debian-administration.org/article/87/Keeping_SSH_access_secure
8. Check listening network ports
Check listening ports and uninstall or disable all unessential or insecure protocols and deamons.

netstat -tulpn

9. Install Fail2ban
Fail2ban is a means of dealing with unwanted system access attempts over any protocol against a Linux host. It uses rule sets to automate variable length IP banning sources of configurable activity patterns such as SPAM, (D)DOS or brute force attacks.
“Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. Written in the Python programming language, it is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally, for example, iptables or TCP Wrapper.” – Wikipedia
For more information: https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04
10. Improve the robustness of TCP/IP
Add the following to harden your networking configuration…

10-network-security.conf

… such as

sudo vim /etc/sysctl.d/10-network-security.conf
Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Block SYN attacks
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1

And load the new rules as follows.

service procps start

For more information: https://blog.mattbrock.co.uk/hardening-the-security-on-ubuntu-server-14-04/
11. If you are serving web traffic install mod-security

Web application firewalls can be helpful in warning of and fending off a range of attack vectors including SQL injection, (D)DOS, cross-site scripting (XSS) and many others.

“ModSecurity is an open source, cross-platform web application firewall (WAF) module. Known as the “Swiss Army Knife” of WAFs, it enables web application defenders to gain visibility into HTTP(S) traffic and provides a power rules language and API to implement advanced protections.”
For more information: https://modsecurity.org/
12. Install a firewall such as IPtables
IPtables is a highlight configurable and very powerful Linux forewall which has a great deal to offer in terms of bolstering hosts based security.
iptables is a user-space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores.” – Wikipedia.
For more information: https://help.ubuntu.com/community/IptablesHowTo
13. Keep all packages up to date at all times and install security updates as soon as possible

 sudo apt-get update        # Fetches the list of available updates
 sudo apt-get upgrade       # Strictly upgrades the current packages
 sudo apt-get dist-upgrade  # Installs updates (new ones)

14. Install multifactor authentication for shell access

Nowadays it’s possible to use multi-factor authentication for shell access thanks to Google Authenticator.
For more information: https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-14-04
15. Add a second level of authentication behind every web based login page
Stolen passwords are a common problem whether as a result of a vulnerable web application, an SQL injection, a compromised end user computer or something else altogether adding a second layer of protection using .htaccess authentication with credentials stored on the filesystem not in a database is great added security.
For more information: http://stackoverflow.com/questions/6441578/how-secure-is-htaccess-password-protection

Performance Tuning Ubuntu Server For Use in Azure cloud

The following describes how to performance tune Ubuntu Server virtual machines for use in Azure. Although this article focuses on Ubuntu Server because it’s better established in Azure at this time. It’s worth mentioning that Debian offers better performance and stability overall, albeit at the cost of some of the more recent functionality support available in Ubuntu. Regardless many of the optimizations discussed below apply equally to both although commands and settings may vary occasionally.

Best practice recommendations from Microsoft.

  1. Don’t use the OS disk for other workloads.
  2. Use a 1TB disk minimum for all data workloads.
  3. Use storage accounts in the same datacenter as your virtual machines.
  4. In need of additional IOPs? Add more, not bigger disks.
  5. Limit the number of disks in a storage account to no more than 40.
  6. Use Premium storage for blobs backed by SSDs where necessary.
  7. Disable ‘barriers’ for all premium disks using ‘Readonly’ or ‘None’ caching.
  8. Storage accounts have a limit of 20K IOPs and 500TB capacity.
  9. Enable ‘Read’ caching for small read datasets only, disable it if not.
  10. Don’t store your Linux swapfile on the temporary drive provided by default.
  11. Use EXT4 filesystem.
  12. In Azure IOPs are throttled according to VM size so choose accordingly.

Linux specific optimisations you might also consider.

1. Decrease memory ‘swappiness’ and increase inode caching:

[code language=”bash”]sudo echo vm.swappiness=10 >> /etc/sysctl.conf
sudo echo vm.vfs_cache_pressure=50 >> /etc/sysctl.conf[/code]

For more information: http://askubuntu.com/questions/184217/why-most-people-recommend-to-reduce-swappiness-to-10-20

2. Disable CPU scaling / run at maximum frequency all the time:

[code language=”bash”]sudo chmod -x /etc/init.d/ondemand[/code]

For more information: http://askubuntu.com/questions/523640/how-i-can-disable-cpu-frequency-scaling-and-set-the-system-to-performance

3. Mount all disks with ‘noatime’ and ‘nobarrier’ (see above) options:

[code language=”bash”]sudo vim /etc/fstab[/code]

Add ‘noatime,nobarrier’ to the mount options of all disks.

For more information: https://wiki.archlinux.org/index.php/fstab

4. Upgrade to a more recent Ubuntu kernel image and remove the old:

[code language=”bash”]sudo aptitude update
sudo aptitude search linux-image
sudo aptitude install -y linux-image-4.4.0-28-generic
sudo aptitude remove -y linux-image-3.19.0-65-generic[/code]

In the example above the latest available kernel version available is version ‘linux-image-4.4.0-28-generic’ and the version currently installed was ‘linux-image-3.19.0-65-generic’ but these will change of course.

5. Change IO scheduler to something more suited to SSDs (i.e. deadline):

Edit the grub defaults file.

[code language=”bash”]sudo vim /etc/default/grub[/code]

Change the following line from

GRUB_CMDLINE_LINUX_DEFAULT=”quiet splash”

to

GRUB_CMDLINE_LINUX_DEFAULT=”quiet splash elevator=deadline

Then run

[code language=”bash”]sudo update-grub2[/code]

For more information: http://stackoverflow.com/questions/1009577/selecting-a-linux-i-o-scheduler

6. Mount a suitably sized data disk:

First start by creating a new 1TB disk using the Azure CLI.

https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-linux-classic-attach-disk/

Partition the new disk and format it in ext4 using the following script.

[code language=”bash”]#!/bin/sh</div>
hdd="/dev/sdc"
for i in $hdd;do
echo "n
p
1
w
"|fdisk $i;mkfs.ext4 $i;done[/code]

Mount the disk.

[code language=”bash”]mkdir /mnt/data/
mount -t ext4 /dev/sdc1 /mnt/data/[/code]

Obtain UUID of newly mounted disk.

[code language=”bash”]blkid /dev/sdc[/code]

Add the following to /etc/fstab.

UUID=<NEW DISK UUID>       /        ext4   noatime,defaults,discard        0 0

6. Add a swap file:

[code language=”bash”]sudo dd if=/dev/zero of=/mnt/data/swapfile bs=1G count=32
sudo chmod 600 /mnt/data/swapfile
sudo mkswap /mnt/data/swapfile
sudo swapon /mnt/data/swapfile
echo "/mnt/data/swapfile   none    swap    sw    0   0" >> /etc/fstab[/code]

8. Enable Linux Kernel TRIM support for SSD drives:

[code language=”bash”]sudo sed -i ‘s/exec fstrim-all/exec fstrim-all –no-model-check/g’ /etc/cron.weekly/fstrim[/code]

For more information: https://www.leaseweb.com/labs/2013/12/ubuntu-14-04-lts-supports-trim-ssd-drives/

 

Deploy Hardened HA-Proxy Azure VM from VM Depot (Microsoft Open Technologies)

In this post, we will discuss how to deploy various VM image developed by community from VM Depot (Microsoft Open Technologies).

Microsoft Azure Cross Platform Command Line (X-Plat CLI)

I blogged Microsoft Azure Cross Platform Command Line previously. This post will continue to explore Microsoft dedication on Open-Source technologies.

Firstly let’s prepare quickly our tools to run Azure X-Plat CLI:

1. I am using my Windows machine. I run my Azure Command Prompt or You can use node.js on Windows as Administrator

2. Install Azure Tools if You have not by leveraging NPM (Node Package Manager) to install Azure tools:

  • npm install azure-cli –global

xplat1

 

Let’s test it by typing command: Azure

xplat2

 

Hooray! If You notice from my previous blog, Microsoft changed it from Windows Azure: Microsoft’s Cloud Platform to Microsoft Azure: Microsoft’s Cloud Platform. Next download your Azure account if You have not by executing:

  • azure account download

Import the *.publishsettings file You downloaded using:

  • azure account import

Delete the *.publishsettings file after importing it and always good habit to set the default subscription before running any script to avoid awkward deployment to wrong subscription:

  • azure account set

xplat3

Deploy VM using VM Depot Community Image

Next we go to VM Depot to look for Image we will deploy to our Azure subscription.

HA-Proxy 1.4.18 on Hardened Ubuntu 12.04 LTS image is available there! The best part of this image is the image has been tweaked and hardened. HA-Proxy will provide reliable layer 7 load balancing which is a nice option to have together with Azure ILB (Internal Load Balance)

nixha1

 

Now how do we deploy this image ?
In this post we will try Deployment script method

Click deployment script icon on the page and we get the script to deploy this image:

nixha3

Let’s modify the script by changing the DNS_PREFIX = our Service Name, USER_NAME to admin user name, PASSWORD with admin user name password (Strong complex 8 chars password required).

Run the script above:

nixha2

Let’s jump to our good friend Mr. PowerShell and Run Get-AzureVM command to confirm:

kloudhaproxy001

And that’s it! We can SSH to our harden HAProxy Azure VM from VM Depot

 

 

 

 

 

Follow Us!

Kloud Solutions Blog - Follow Us!