Jfrog Artifactory High availability and maintenance - artifactory

We are using Jfrog artifactory selfhosted instance with license for our project and many customers are using for thir package and binary management.
Since this is hosted i our private selfhosted environments over linux platform, regularly we may need to have a maintenance window atleast 2 times in a month to apply patches to our servers and all. So we are considering for high availability for our currently running Jfrog instance which should resolve this downtime during the maintenance. Also we are looking for some better managemental scenarios as below and couldnt find any helpful guidance from the docs.
How the Jfrog server insance service status can be monitored along with auto restart if the service is in failed state after the server reboot.
Is there any way to set and populate a notification messsage to the sustomers regarding the sceduled maintenance.
How can we enable the high availability for JFrog Artifactory and Xray. ?

Here are some of the workaround you can follow to mitigate the situation
To monitor the health of the JFrog services you can use the below rest API
curl -u : -XGET
http://<Art_IP>:8046/router/api/v1/topology/health -H 'Content-Type:
application/json'
If you are looking for a more lightweight check you can use
curl -u: -XGET
http://<Art_IP>:8081/artifactory/api/system/ping
By default, the systemctl scripts check for the availability of the services and restart them when they see a failure. The same applies to the system restart as well.
There is no option for a pop-up message however, you can set a custom message as a banner in the Artifactory. Navigate to Administration -> General settings -> Customer message. Here is the wiki link
When you add another node to the mix, Artifactory/Xray becomes a cluster to balance the load (or as a failover) however it is the responsibility of the load balancer/Reverse proxy to manage the traffic between the cluster nodes according to the availability of the backend node.

Related

How to limit/disable the upload on the network

I wish to make a secure environment and to block uploading to any destination on the Internet, how can I achieve that using pfSense.
Does pfSense is the right tool for it?
I tried to limit the upload to 8 bits per second and I can not download right now (it's also got limited).
Does squid can be a good solution for what I searched for?
p.s. I still want to download files via git, http, https, ssh for example yarn install and "composer install" should work.
The goal is to block upload of files outside from the pfSense.
in short, you can't do it with stock pf sense,
You'll need a firewall which can inspect SSL and SSH,
You can run squid proxy on pfsense, and that can sslbump. which can be used to inspect HTTPS traffic. and with squid you can block file upload, for http (and https with sslbump)
If you want to inspect SSH and limit file upload via SSH,
you'll need a Palo Alto or a Fortigate or another next-gen firewall which can inspect SSH.
tl;dr : You can't! But you can use trickle
Explanation
Since every time we create a tcp session - we upload data to the internet, and it doesn't matter if its a 3-way-handshake, http request or post a file to the server, you can not have the ability of creating a session without being able to upload data to the internet. What you can do- is limit the bandwidth per application.
Workaround 1
You can use trickle.
sudo apt-get install trickle
You can limit upload/download for a specific app by running
trickle -u (upload limit in KB/s) -d (download limit in KB/s) application
This way you can limit http/other applications, but still being able to use git.
Workaround 2
Another way to Deny all application from accessing the internet, and allow only applications by exception.

Euca 5.0 Enable SSL with Combined CLC and Cluster Controller?

I have completed an automated ansible install and have most of the wrinkles worked out.
All of my services except Nodes are running on a single box on non-secure HTTP though I specified 443 in my inventory I see now that does not imply an HTTPS configuration. So I have non-secure API endpoints listening on 443.
Is there any way around the requirements of operating CLC and Cluster Controller on different hardware as described in the SSL howto: https://docs.eucalyptus.cloud/eucalyptus/5/admin_guide/managing_system/bps/configuring_ssl/
I've read that how-to and can only guess that installing certs on the CLC messes up the Cluster Controller keys but I don't fully grasp it. Am I wasting my time trying to find a workaround or can I keep these services on the same box and still achieve SSL?
When you deploy eucalyptus using the ansible playbook a script will be available:
# /usr/local/bin/eucalyptus-cloud-https-import --help
Usage:
eucalyptus-cloud-https-import [--alias ALIAS] [--key FILE] [--certs FILE]
which can be used to import a key and certificate chain from PEM files.
Alternatively you can follow the manual steps from the documentation that you referenced.
It is fine to use HTTPS with all components on a single host, the documentation is out of date.
Eucalyptus will detect if an HTTP(S) connection is using TLS (SSL) and use the configured certificate when appropriate.
It is recommended to use the ansible playbook certbot / Let's Encrypt integration for the HTTPS certificate when possible.
When manually provisioning certificates, wildcards can be used (*.DOMAIN *.s3.DOMAIN) so that all services and S3 buckets are included. If a wildcard certificate is not possible then the certificate should include the service endpoint names if possible (autoscaling, bootstrap, cloudformation, ec2, elasticloadbalancing, iam, monitoring, properties, route53, s3, sqs, sts, swf)

local artifactory golang proxy and checksum verification

When getting go modules using a local artifactory go proxy "go get" fails when doing module checksum verification.
At work we can't do downloads directly from internet but must go through a local proxy based on artifactory. I have specified GOPROXY (GOPROXY=https://repo.mycompany.se/artifactory/api/go/gocenter) to a proxy setup in our local artifactory. When running "go get" the download goes ok what I can see but the checksum verification fails as go try to use sum.golang.org directly instead of getting the checksum through the proxy.
C:\Users\x\go\src\hello2>go get rsc.io/quote#v1.5.2
go: finding rsc.io v1.5.2
go: downloading rsc.io/quote v1.5.2
verifying rsc.io/quote#v1.5.2: rsc.io/quote#v1.5.2: Get https://sum.golang.org/lookup/rsc.io/quote#v1.5.2: dial tcp: lookup sum.golang.org: no such host
C:\Users\x\go\src\hello2>
Do artifactory support getting the checksum through the local proxy and if so how do you set it up. I have read a blog post about support when using gocenter directly but I can't find any information when using artifactory.
I'm using go 1.13 and we are using artifactory 6.12.2.
Artifactory 6.12.2 when used as golang proxy, currently does not support checksum verification when there is no access to sum.golang.org. A feature request RTFACT-20405 (Artifactory to support go client checksum verification when sum.golang.org is not accessible).
In the meantime, refer to 'go help module-private' and documentation on using GONOSUMDB environment variables. An excerpt taken from the 1 -
"If GOSUMDB is set to "off", or if "go get" is invoked with the -insecure flag, the checksum database is not consulted, and all unrecognized modules are accepted, at the cost of giving up the security guarantee of verified repeatable downloads for all modules. A better way to bypass the checksum database for specific modules is to use the GOPRIVATE or GONOSUMDB environment variables. See 'go help module-private' for details"
Artifactory 6.16 has gosumdb support - https://www.jfrog.com/confluence/display/RTF/Release+Notes

woocommerce webhooks not firing

woocommerce webhooks aren't firing at all for me, even on a fresh install. I did the following:
Create a new MySQL database
Install WP from the zip file.
Set up WP.
Install Woocommerce.
Enable REST API and create a key.
Added "Coupon created" webhook, made sure it's set to active, and set it to a publicly accessible site.
When I create a coupon, the webhook does not fire, and no entry is created in the log. I tried this with orders as well and also doesn't work.
I think it's a machine configuration problem, but not sure what to change. The machine is an EC2 instance and has all ports opened in its security group policy.
Weirdest of all is that on a different EC2 instance does work, but it's a production machine and I want to have a dev server work so I can test out things. The only config differences between the production and dev machines that I can think of are the subnets and the firewall, but I don't understand why the subnet should matter and I opened all the firewall ports on the dev machine.
what Linux distributions are you running for prod and dev?
CentOS with SELinux enabled with not allow HTTPD scripts and modules to connect to network by default.
setsebool -P httpd_can_network_connect on
If above is not valid, please identify network problems by trying connecting to AWS RDS via SSH CLI. If you can open a connection via SSH CLI, the problem will be with your application. If you can't, it will be network problem. First thing to check in that case is AWS RDS security group. For testing you can open 3306 to public.
Let me know how it goes.

My wordpress websites on VPS server is getting hacked regularly

I have purchased VPS server from OVH. I have installed Vestacp, it has been more than 6 months and I'm still facing issues with server security. Sometimes my Wordpress websites get hacked, sometimes the server is slow or not responding for a whole day. I'm not able to identify issue. Someone please. help me.
Here is a basic checklist to get you started:
Download and run WPScan against your site you can obtain this here.
Change all your passwords, Since it's a virtual private server your pem file might of been compromised. So change your password for all access to the site.
Update all your plugins, I can't stress enough and I see businesses do this all the time, they don't update their plugins. Make sure you are updated to the latest wordpress version as well.
If you website is beyond repair at this time download all the files and then do a fresh install of Wordpress and restore what you can.
Invest in a SSL Certificate to encrypt your data, this will protect you and your users from MITM (man in the middle) attacks.
Update your .htaccess file with restrictions try these.
If you don't have an IDS/IPS to detect SQL injection consider installing ModSecurity, you can download that here.
Since it's a virtual private server if a backdoor has been planted you might want to consider as well doing a full wipe and restore of files you know are secure.
Close ports you don't need. If you don't use certain ports all the time close them.
Update the webserver applications, apache, mysql, and others. If you don't have the latest version you should be able to download them manually and if it's Linux just compile and run the latest source.
For all the countries that don't mean anything to your business block all of them with a country blocking plugin but make sure it's secure, the key is to do your research.
Install something like WPSecurity and limit the amount of failed logins before being locked out or having the ip address blocked for certain usernames after so many failed attempts.
If it's a Linux VPS try these commands to see what your server is up to:
#Check for remote connections
netstat -a
#Allows to monitor network usage by application
nethogs eth0
#Allows to monitor the system log for authorizations
tail -f /var/log/auth.log
#Allows to monitor firewall log
tail -f /var/log/ufw.log
#Allows to monitor packets (look for malformed ones)
tshark -i eth0
You should be doing incident response at this time more than anything since it's a VPS server. There are some great methodologies on this website that may help as well.
Hope this helps.
--lillypad

Resources