chrome secure shell 便利

URL   ssh + TAB 

TLS セキュリティポリシー

クオリス web チェック

https://www.ssllabs.com/ssltest/

$ aws elbv2 describe-ssl-policies  --names ELBSecurityPolicy-FS-2018-06  --output table

$ aws elbv2 describe-ssl-policies  --names ELBSecurityPolicy-TLS-1-2-Ext-2018-06 --output table

$ openssl ciphers -v 'HIGH:!ADH:!MD5;'
$ openssl ciphers -v 'ECDH+AESGCM !aNULL !eNULL !SSLv2 !SSLv3 !CBC'

$ openssl s_client -tls1_2 -connect portal.xxxxx.co.jp:443

https://qiita.com/kuni-nakaji/items/5118b23bf2ea44fed96e

sudo pip install --upgrade setuptools

sudo pip install --upgrade sslyze
python -m sslyze --regular www.yahoo.com:443
or sslyze --regular www.yahoo.com:443

【apache httpd セキュリティ設定】

※header内のversionを削除

# vi /etc/httpd/conf.d/security.conf

ServerTokens ProductOnly
ServerSignature Off

Header unset

$ curl -I -s localhost   [--verbose]    # 確認

※ Serverヘッダー削除   apache 2.4以降 完全に消す場合。

yum -y install mod_security mod_security_crs

ServerTokens Full

# vi /etc/httpd/conf.d/mod_security.conf

# SecRuleEngine On

SecServerSignature " "

# curl --head https://portal.cxdnext.co.jp/

curl: (35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

# update-crypto-policies --set LEGACY

※ iconsフォルダーの削除
# cd /etc/httpd/conf.d/

# mv autoindex.conf autoindex.conf.org

URL https://localhost/icons    #確認

※ wellcomメッセージの削除

# cd /etc/httpd/conf.d/

# mv welcome.conf welcome.conf.org

【apache 推奨】

ECDHE-RSA-AES128-GCM-SHA256:

ECDHE-ECDSA-AES128-GCM-SHA256:

ECDHE-RSA-AES256-GCM-SHA384:

ECDHE-ECDSA-AES256-GCM-SHA384:

DHE-RSA-AES128-GCM-SHA256 :

DHE-DSS-AES128-GCM-SHA256:

kEDH+AESGCM:

ECDHE-RSA-AES128-SHA256:

ECDHE-ECDSA-AES128-SHA256:

ECDHE-RSA-AES128-SHA:

ECDHE-ECDSA-AES128-SHA:

ECDHE-RSA -AES256-SHA384:

ECDHE-ECDSA-AES256-SHA384:

ECDHE-RSA-AES256-SHA:

ECDHE-ECDSA-AES256-SHA:

DHE-RSA-AES128-SHA256:

DHE-RSA-AES128-SHA:

DHE-DSS-AES128 -SHA256:

DHE-RSA-AES256-SHA256:

DHE-DSS-AES256-SHA:

DHE-RSA-AES256-SHA:

AES128-GCM-SHA256:

AES256-GCM-SHA384:

AES128-SHA256:

AES256-SHA256:

AES128-SHA :

AES256-SHA:

AES:

CAMELLIA:

DES-CBC3-SHA:

!aNULL:

!eNULL:

!EXPORT:

!DES:

!RC4:

!MD5:

!PSK:

!aECDH:

!EDH-DSS-DES-CBC3-SHA:

!EDH-RSA-DES-CBC3-SHA:

!KRB5-DES-CBC3-SHA

【ngnx 推奨】

ECDHE-RSA-AES128-GCM-SHA256:

ECDHE-ECDSA-AES128-GCM-SHA256:

ECDHE-RSA-AES256-GCM-SHA384:

ECDHE-ECDSA-AES256-GCM-SHA384:

DHE-RSA-AES128-GCM- SHA256:

DHE-DSS-AES128-GCM-SHA256:

kEDH+AESGCM:

ECDHE-RSA-AES128-SHA256:

ECDHE-ECDSA-AES128-SHA256:

ECDHE-RSA-AES128-SHA:

ECDHE-ECDSA-AES128-SHA:

ECDHE- RSA-AES256-SHA384:

ECDHE-ECDSA-AES256-SHA384:

ECDHE-RSA-AES256-SHA:

ECDHE-ECDSA-AES256-SHA:

DHE-RSA-AES128-SHA256:

DHE-RSA-AES128-SHA:

DHE-DSS- AES128-SHA256:

DHE-RSA-AES256-SHA256:

DHE-DSS-AES256-SHA:

DHE-RSA-AES256-SHA:

AES128-GCM-SHA256:

AES256-GCM-SHA384:

AES128-SHA256:

AES256-SHA256:

AES128- SHA:

AES256-SHA:

AES:

CAMELLIA:

DES-CBC3-SHA:

!aNULL:

!eNULL:

!EXPORT:

!DES:

!RC4:

!MD5:

!PSK:

!aECDH:

!EDH-DSS-DES-CBC3-SHA :

!EDH-RSA-DES-CBC3-SHA:

!KRB5-DES-CBC3-SHA;

【topcat 推奨】

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,

TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,

TLS_ECDHE_RSA_WITH_AES_128_SHA256,

TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,

TLS_ECDHE_RSA_WITH_AES_128_SHA,

TLS_ECDHE_ECDSA_WITH_AES_128_SHA,

TLS_ECDHE_RSA_WITH_AES_256_SHA384,

TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,

TLS_ECDHE_RSA_WITH_AES_256_SHA,

TLS_ECDHE_ECDSA_WITH_AES_256_SHA,

TLS_DHE_RSA_WITH_AES_128_SHA256,

TLS_DHE_RSA_WITH_AES_128_SHA,

TLS_DHE_DSS_WITH_AES_128_SHA256,

TLS_DHE_RSA_WITH_AES_256_SHA256,

TLS_DHE_DSS_WITH_AES_256_SHA,

TLS_DHE_RSA_WITH_AES_256_SHA"

【NG】

# TLS 1.2 (suites in server-preferred order)

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 1024 bits   FS   WEAK 256

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 1024 bits   FS   WEAK 128

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 1024 bits   FS   WEAK 256

TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits   FS   WEAK 256

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   DH 1024 bits   FS   WEAK 128

TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits   FS   WEAK 128

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16)   DH 1024 bits   FS   WEAK 112

TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   WEAK 256

TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   WEAK 128

TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK 256

TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK 256

TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK 128

TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK 128

TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   WEAK 112

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 128

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 128

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 128

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 112

# TLS 1.1 (suites in server-preferred order)

TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits   FS   WEAK 256

TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits   FS   WEAK 128

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16)   DH 1024 bits   FS   WEAK 112

TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK 256

TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK 128

TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   WEAK 112

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 128

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 112

# TLS 1.0 (suites in server-preferred order)

TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits   FS   WEAK 256

TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits   FS   WEAK 128

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16)   DH 1024 bits   FS   WEAK 112

TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK 256

TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK 128

TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   WEAK 112

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 128

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 112

Django REST 認証 GUI ツール 非表示

if DEBUG is True:

REST_FRAMEWORK[ 'DEFAULT_RENDERER_CLASSES'] = ( 'rest_framework.renderers.JSONRenderer', 'rest_framework.renderers.BrowsableAPIRenderer',)

else:

REST_FRAMEWORK[ 'DEFAULT_RENDERER_CLASSES'] = ( 'rest_framework.renderers.JSONRenderer', )

CentOS7 に最新版のhttpd php を入れる。

【httpd】

CentOS7 標準 ： 2.4.6
↓
2.4.54 (最新）

yum install https://repo.ius.io/ius-release-el7.rpm
systemctl stop httpd
yum remove httpd httpd-tools mod_ssl

# vi /etc/yum.repos.d/ius.repo
[ius]
name=IUS Community Packages for Enterprise Linux 7 - $basearch
#baseurl=https://dl.iuscommunity.org/pub/ius/stable/CentOS/7/$basearch
mirrorlist=https://mirrors.iuscommunity.org/mirrorlist?repo=ius-entos7&arch=$basearch&protocol=http

failovermethod=priority

enabled=0    1から0に変更する
 
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/IUS-COMMUN

yum -y install openldap-devel expat-devel libdb-devel mailcap system-logos
yum install --disablerepo=base --disablerepo=updates --enablerepo=ius httpd mod_ssl httpd-devel

【php】
CentOS7 標準：5.4.16
# rpm -qa | grep php
# yum remove php*
# yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

# yum install -y https://rpms.remirepo.net/enterprise/remi-release-7.rpm

# yum install -y yum-utils

# yum-config-manager --disable 'remi-php*'

# yum-config-manager --enable remi-php80

# yum repolist

# yum update 

# yum install -y php

AWS CLI ＆ CDK

【amazon linux2023 ec2にCDKV2 python インストール】　20241107

# dnf -y install node.js

# npm install -g aws-cdk@2.166      # ( npm install -g aws-cdk )

# cdk --version

# sudo dnf install -y nodejs python3 python3-pip

※ Pythonのバージョンにより、CDKv2がインストールできない。

　 aws-cdk 2.166   →　Python3.6では、インストールできない。

https://docs.aws.amazon.com/cdk/api/v1/python/index.html

【タイムゾーンと日本語】
$ sudo timedatectl set-timezone Asia/Tokyo
$ sudo timedatectl
$ sudo localectl set-locale LANG=ja_JP.utf8
$ sudo localectl

【CDKインストール】

# dnf remove nodejs npm

# dnf install npm

$ npm install -g n

$ n stable

$ npm install -g aws-cdk

----------------------------------------------------------------------

※ amazon linux2 にnpmをインストールするには、

$ curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.34.0/install.sh | bash

$ .   ~/.nvm/nvm.sh                          # .bash_profileに記述

$ nvm install --lts

$  node -v

v16.17.0

$ npm install -g n

$ n stable

$ npm install -g aws-cdk

--------------------------------------------------------------------------

$  cdk --version

2.40.0 (build 56ba2ab)

※ cdk version up

$ npm install -g aws-cdk

$ aws sts get-caller-identity

$ cdk bootstrap aws://99999999999/ap-northeast-1 

    ※ aws://<アカウントID>/<リージョン名>  [ --profile  default ]

$ mkdir cdk-demo

$ cd cdk-demo

$ cdk init  app  --language python     # app template 名

# Useful commands

 *  cdk ls                list all stacks in the app

 * cdk synthesize

 *  cdk synth       emits the synthesized CloudFormation template

 * cdk deploy    deploy this stack to your default AWS account/region

 * cdk diff           compare deployed stack with current state

 * cdk docs        open CDK documentation

* cdk destroy   destropy this stack
* cdk context
* cdk metadata

*

Enjoy!

ERROR: ModuleNotFoundError: No module named 'aws_cdk'

→. ./env

　pip install  aws-cdk-lib

# dnf install python38

# update-alternatives --config python

python3.8を選択

$ python3.8  -m venv  .venv

$ source .venv/bin/activate

$ pip install -r requirements.txt

※ python3.6では、下記エラー発生 ( 3.8はOK）

 ERROR: Could not find a version that satisfies the requirement aws-cdk-lib==2.40.0

$ pip install  aws-cdk-lib

2.23.0がインストールされた。

$ cdk synth

API リファレンス

https://docs.aws.amazon.com/cdk/api/v2/docs/aws-construct-library.html

※ https://github.com/aws-samples/aws-cdk-examples

※ https://atsushinotes.com/deploy_wordpress_cdk_python/2/

$ cdk init --language typescript

## Useful commands * `npm run build` compile typescript to js * `npm run watch` watch for changes and compile * `npm run test` perform the jest unit tests * `cdk deploy` deploy this stack to your default AWS account/region * `cdk diff` compare deployed stack with current state * `cdk synth` emits the synthesized CloudFormation templat

AWS CLI インストール

■AWS CLIv2をインストール

$ curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
$ unzip awscliv2.zip
$ sudo ./aws/install

$ aws configure

AWS Access Key ID [****************RDHF]: 

AWS Secret Access Key [****************UN7j]: 

Default region name [ap-northeast-1]: 

Default output format [json]: 

$ vi  .aws/config

$ vi .aws/credentials

■Session Manager プラグインをインストール

$ sudo dnf install -y https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_64bit/session-manager-plugin.rpm

$ aws configure sso 

SSO session name (Recommended): AWS develop environment

SSO start URL [None]: https://d-xxxxxxxxxxxx.awsapps.com/start/#

SSO region [None]: ap-northeast-1

SSO registration scopes [sso:account:access]:

Attempting to automatically open the SSO authorization page in your default browser.

If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.ap-northeast-1.amazonaws.com/

Then enter the code:

XCWJ-BVZG

The only AWS account available to you is: 65xxxxxxx086

Using the account ID 65xxxxxxx086

The only role available to you is: PowerUserAccess

Using the role name "PowerUserAccess"

CLI default client Region [ap-northeast-1]: ap-northeast-1

CLI default output format [None]: json

CLI profile name [PowerUserAccess-xxxxxxxxxxxxxx]:

To use this profile, specify the profile name using --profile, as shown:

aws s3 ls --profile PowerUserAccess-65xxxxxxx086

$ vi ~/.aws/config

$ aws sts get-caller-identity --profile PowerUserAccess-xxxxxxxxxxxxxx]

 $ aws ssm start-session --target i-0cbbe303b171e7396 --document-name AWS-StartPortForwardingSession --parameters "portNumber=22, localPortNumber=10022" --profile PowerUserAccess-xxxxxxxxxxxx

$ aws sso logout

$ aws sso login --profile PowerUserAccess-xxxxxxxxxxxx

 

alternatives --config python pythonバージョン切替

# dnf module  install python36

# dnf module  install python38

# dnf module  install python39

$ update-alternatives --config python

$ sudo alternatives --config python