Tuesday, November 23, 2010

60 Free Minutes with Ubuntu 10.10 in Amazon EC2

I decided to try Ubuntu in the Cloud because 1) I had a few minutes this afternoon and 2) it's free. If you follow the directions on their Web site you'll have access to an Ubuntu 10.10 server for 60 minutes, hosted by Amazon Elastic Compute Cloud (Amazon EC2). It's really simple, so easy a caveman could do it. (Ouch.)

  1. First make sure you have a public-private SSH key pair.


    richard@neely:~$ ssh-keygen -t rsa
    Generating public/private rsa key pair.
    Enter file in which to save the key (/home/richard/.ssh/id_rsa):
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in /home/richard/.ssh/id_rsa.
    Your public key has been saved in /home/richard/.ssh/id_rsa.pub.
    The key fingerprint is:
    c6:e0:9c:84:74:3d:2d:09:b3:a2:e5:97:7b:63:59:da richard@neely
    The key's randomart image is:
    +--[ RSA 2048]----+
    | . +o o |
    | . o o= . |
    | + + o |
    | + = = |
    | . . * S . |
    | . o = |
    | . * E |
    | o . |
    | |
    +-----------------+

  2. Next visit www.launchpad.net and create and account.

  3. Visit the editsshkeys page created for your account (like https://launchpad.net/~taosecurity/+editsshkeys for me) and paste the content of your public SSH key into the window.

  4. Now it's time for https://10.cloud.ubuntu.com/. I read:

    Try Ubuntu 10.10 Server in Amazon EC2, entirely on our dime!

    All you need is an SSH client, and an SSH public key associated with your Launchpad.net account, and we will launch an Ubuntu Server instance in Amazon EC2 for you.

    We will give you the hostname and you can SSH directly to the instance with your public SSH key on file in Launchpad. You will have full sudo (root) access, so take it for an hour-long joyride, install applications, configure services, test your programs, and evaluate the overall experience. We will terminate and clean up the instance automatically within an hour.


    I selected Ubuntu Server (10.10) with WordPress for fun.

  5. WAIT while the server is provisioned. It takes a few minutes but the Web site keeps refreshing to keep you informed.

  6. When done, SSH to the server us user ubuntu. Be ready to enter your SSH keyphrase.

    richard@neely:~$ ssh ubuntu@184.72.80.52
    The authenticity of host '184.72.80.52 (184.72.80.52)' can't be established.
    RSA key fingerprint is 56:df:06:bf:30:c6:d6:26:76:2f:f1:6f:51:97:86:70.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '184.72.80.52' (RSA) to the list of known hosts.
    Linux ip-10-212-127-243 2.6.35-22-virtual #33-Ubuntu SMP Sun Sep 19 23:54:13 UTC 2010 i686 GNU/Linux
    Ubuntu 10.10
    Hello taosecurity, welcome to the Cloud!
    This instance will terminate around Tue Nov 23 21:37:00 UTC 2010"

    Welcome to Ubuntu!
    * Documentation: https://help.ubuntu.com/

    System information as of Tue Nov 23 20:42:00 UTC 2010

    System load: 0.35 Processes: 76
    Usage of /: 7.0% of 9.84GB Users logged in: 0
    Memory usage: 17% IP address for eth0: 10.212.127.243
    Swap usage: 0% IP address for eth0:0: 184.72.80.52

    Graph this data and manage this system at https://landscape.canonical.com/
    ---------------------------------------------------------------------
    At the moment, only the core of the system is installed. To tune the
    system to your needs, you can choose to install one or more
    predefined collections of software by running the following
    command:

    sudo tasksel --section server

  7. At this point I had a fully functional server with Wordpress installed. I played with the server to create a first post.


  8. I also tested how quickly I could add software. WOW.

    sudo apt-get install ubuntu-desktop
    ...edited...
    Fetched 429MB in 28s (15.2MB/s)


  9. I started a second SSH session to tunnel the X protocol and started Firefox:


  10. From another server I scanned the EC2 instance to see what services are exposed:

    tao001:~# nmap -sV 184.72.80.52

    Starting Nmap 4.62 ( http://nmap.org ) at 2010-11-23 15:56 EST
    Interesting ports on ec2-184-72-80-52.compute-1.amazonaws.com (184.72.80.52):
    Not shown: 1710 closed ports
    PORT STATE SERVICE VERSION
    22/tcp open ssh (protocol 2.0)
    25/tcp open smtp Postfix smtpd
    80/tcp open http Apache httpd 2.2.16 ((Ubuntu))
    5901/tcp open vnc VNC (protocol 3.8)
    6001/tcp open X11 (access denied)
    1 service unrecognized despite returning data.
    If you know the service/version, please submit the following fingerprint at
    http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
    SF-Port22-TCP:V=4.62%I=7%D=11/23%Time=4CEC2A95%P=x86_64-unknown-linux-gnu%
    SF:r(NULL,27,"SSH-2\.0-OpenSSH_5\.5p1\x20Debian-4ubuntu4\r\n");
    Service Info: Host: ec2-184-72-80-52.compute-1.amazonaws.com

    Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 7.457 seconds

  11. I ran Tshark to capture traffic and created a capture with this protocol distribution:

    richard@neely:~$ tshark -q -r tshark.pcap -z io,phs
    can't open file /home/richard//tmpssl/Renegotiating_TLS_20091104_pub/caps/apache22_wget_DHE/server.key

    ===================================================================
    Protocol Hierarchy Statistics
    Filter: frame

    frame frames:3764 bytes:424367
    eth frames:3764 bytes:424367
    ip frames:3750 bytes:422885
    udp frames:177 bytes:120953
    dns frames:80 bytes:8271
    ntp frames:24 bytes:2160
    data frames:70 bytes:105980
    dcerpc frames:3 bytes:4542
    icmp frames:17 bytes:1710
    tcp frames:3556 bytes:300222
    http frames:54 bytes:100166
    data-text-lines frames:10 bytes:17428
    media frames:1 bytes:818
    image-jfif frames:1 bytes:4434
    png frames:1 bytes:1194
    xml frames:2 bytes:1430
    unreassembled frames:1 bytes:2962
    smtp frames:14 bytes:3392
    imf frames:1 bytes:561
    tcp.segments frames:1 bytes:116
    http frames:1 bytes:116
    ssh frames:1 bytes:105
    ipv6 frames:14 bytes:1482
    udp frames:14 bytes:1482
    dns frames:14 bytes:1482
    ===================================================================


Near the end of my hour I got this warning in the shell:

Broadcast Message from root@ip-10-212-127-243
(somewhere) at 21:17 ...

You have about 10 minutes before instance termination

So, I logged out and that was it!

I suggest everyone give this a try, especially if you've never spun up an EC2 instance. Next I'd like to try the AWS Free Usage Tier.

Thanks to Ubuntu and Amazon EC2 for making this such an easy process.

My only concern is this: how easy would it be to spin up free VMs like this for nefarious means?

5 comments:

Bryon said...

The free usage tier works great and as advertised. I'm at $0 running 10.10 since Nov. 1st. This type of box is perfect for simple things like socks5 tunneling out of unsecured wifi networks (-D 8080).

Silent Ninja said...

I really loved the way Amazon does this stuff, but... you haven't benchmarked anything, nor made any type of system security tests (not software based per se, since that can be fully configurable or upgradeable in case it's needed)

I mean, Ubuntu is famous for being one of the simplest desktop distros but I'm still a little frightened about ussing it as a server distro. I'm still in love with Debian.

Would you like to change my mind about that ?

Richard Bejtlich said...

"Silent Ninja," no. How about you do your own analysis? My rates are pretty high, but I don't consult anyway.

secyority said...

Nice post Richard, will give this a try. Re: nefarious means, I hope it's not the caveman (Ouch squared!) ;)

Just this guy, you know? said...

As for "nefarious purposes", it's quite trivial. I believe that "videoman" had a talk about this at DEFCON this year.

I did a back of the envelope calculation last year and you can get an impressive bandwidth spike for a DDoS attack rather quickly. Of course, AWS will detect that and shut it down, but that does take some time.

And if you use a stolen credit card, you're even farther ahead (as an attacker).

You should note that much (most?) of the AWS space is blacklisted in most SMTP DNS blacklists. AWS warns of this is some of its documentation.