2012년 11월 21일 수요일

[AWS] IAM 계정에서 EC2 CLI 사용하기


AWS CLI(Command Line Interface)를 사용하기 위해서는 account credentials 이 필요하다.

  • access keys
  • X.509 certificates
  • key pairs
필요한 타입은 API group마다 다른데, 문제는 certificate x.509가 IAM user page에서는 구할 수 없다.


If a user needs a signing certificate (for example, to use the Amazon EC2 command line tools), you first must obtain a signing certificate and then upload it to the IAM system. IAM doesn't have an API action to create signing certificates, so you must use a third-party tool such as OpenSSL to create the certificate first.


User Credentials

By default, a user has no security credentials. You create security credentials for your users as needed. The type of credentials a user needs depends on how the user will access AWS.
Secret Access Keys and Access Key IDs
To make API calls or to work with the command line interface, the user needs a Secret Access Key and Access Key ID. The IAM API and command line interface provide actions that create these for a user. You can give your users permission to create and manage their own credentials if you like, or you can have an administrators group in your organization handle this. For more information about creating keys for a user, see Adding a New User to Your AWS Account.
X.509 Certificates
Another type of credential a user might have is an X.509 certificate (referred to here as a signing certificate) and corresponding certificate ID. Some AWS products use this instead of a Secret Access Key for access to certain interfaces. For example, Amazon EC2 uses a Secret Access Key for access to its Query interface, but it uses a signing certificate for access to its SOAP interface and command line tool interface.
Although you can use IAM to create an access key, you can't use IAM to create a signing certificate. However, you can use free third-party tools such as OpenSSL to create the certificate. (For information about OpenSSL, go to http://www.openssl.org/.) After you have the signing certificate, you must upload it to IAM; the user needs to keep the corresponding private key to use for signing requests. You can use IAM to upload the certificate. For more information about using signing certificates, see Managing User Keys and Certificates.
Important
For security purposes, we recommend that you rotate your users' credentials on a regular basis. A user can have multiple access keys or signing certificates at a given time for this purpose. For more information, see Rotating Credentials.

References

2012년 11월 18일 일요일

iptables on redhat


iptables 는 netfilter의 부분으로 filtering의 rule을 정하는 filter table이다.

Chain 은 A chain is a list of rules that defines the actions applied to packets. 종류는 기본 INPUT/FORWARD/OUTPUT 이고 custom chain 도 추가 가능하다.

  • INPUT - All packets destined for the host computer.
  • OUTPUT - All packets originating from the host computer.
  • FORWARD - All packets neither destined for nor originating from the host computer, but passing through (routed by) the host computer. This chain is used if you are using your computer as a router.

# iptables -L 로 rule을 볼 수 있으며, 순서대로 적용된다. 아래에서 REJECT all 이후로는 모든 packet 이 reject된다. 첫 번째 Rule이 1번.


iptables -A chain (INPUT/FORWARD/OUTPUT) -j target (ACCEPT/REJECT/DROP)


iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination  


--dport : destination port
--sport : start port
--state

httpd server 추가하기
- REJECT 앞에 추가해야 함.
- >iptables -I INPUT 5 -p tcp -m tcp --dport 80 -j ACCEPT
- >iptables -I INPUT 6 -m tcp -p tcp --dport 443 -j ACCEPT

 
특정 port 열기
# iptables -I INPUT (last index -1) -m state --state NEW -m tcp -p tcp --dport 6888 -j ACCEPT


모든 port reject
>iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited


iptables 저장하기
iptables command 는 reboot하면 초기화되므로 계속 반영하려면, 저장이 필요하다.
# service iptables save 

# vi /etc/sysconfig/iptables-config


  1. iptables -P INPUT ACCEPT If connecting remotely we must first temporarily set the default policy on the INPUT chain to ACCEPT otherwise once we flush the current rules we will be locked out of our server.
  2. iptables -F We used the -F switch to flush all existing rules so we start with a clean state from which to add new rules.
  3. iptables -A INPUT -i lo -j ACCEPT Now it's time to start adding some rules. We use the -A switch to append (or add) a rule to a specific chain, the INPUT chain in this instance. Then we use the -i switch (for interface) to specify packets matching or destined for the lo (localhost, 127.0.0.1) interface and finally -j (jump) to the target action for packets matching the rule - in this case ACCEPT. So this rule will allow all incoming packets destined for the localhost interface to be accepted. This is generally required as many software applications expect to be able to communicate with the localhost adaptor.
  4. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT This is the rule that does most of the work, and again we are adding (-A) it to the INPUT chain. Here we're using the -m switch to load a module (state). The state module is able to examine the state of a packet and determine if it is NEW, ESTABLISHED or RELATED. NEW refers to incoming packets that are new incoming connections that weren't initiated by the host system. ESTABLISHED and RELATED refers to incoming packets that are part of an already established connection or related to and already established connection.
  5. iptables -A INPUT -p tcp --dport 22 -j ACCEPT Here we add a rule allowing SSH connections over tcp port 22. This is to prevent accidental lockouts when working on remote systems over an SSH connection. We will explain this rule in more detail later.
  6. iptables -P INPUT DROP The -P switch sets the default policy on the specified chain. So now we can set the default policy on the INPUT chain to DROP. This means that if an incoming packet does not match one of the following rules it will be dropped. If we were connecting remotely via SSH and had not added the rule above, we would have just locked ourself out of the system at this point.
  7. iptables -P FORWARD DROP Similarly, here we've set the default policy on the FORWARD chain to DROP as we're not using our computer as a router so there should not be any packets passing through our computer.
  8. iptables -P OUTPUT ACCEPT and finally, we've set the default policy on the OUTPUT chain to ACCEPT as we want to allow all outgoing traffic (as we trust our users).
  9. iptables -L -v Finally, we can list (-L) the rules we've just added to check they've been loaded correctly.

NEW -- meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions, and
ESTABLISHED -- meaning that the packet is associated with a connection which has seen packets in both directions,
RELATED -- meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error.


5. IP Addresses


Opening up a whole interface to incoming packets may not be restrictive enough and you may want more control as to what to allow and what to reject. Lets suppose we have a small network of computers that use the 192.168.0.x private subnet. We can open up our firewall to incoming packets from a single trusted IP address (for example, 192.168.0.4):
# Accept packets from trusted IP addresses
 iptables -A INPUT -s 192.168.0.4 -j ACCEPT # change the IP address as appropriate

Breaking this command down, we first append (-A) a rule to the INPUT chain for the source (-s) IP address 192.168.0.4 to ACCEPT all packets (also note how we can use the # symbol to add comments inline to document our script with anything after the # being ignored and treated as a comment).
Obviously if we want to allow incoming packets from a range of IP addresses, we could simply add a rule for each trusted IP address and that would work fine. But if we have a lot of them, it may be easier to add a range of IP addresses in one go. To do this, we can use a netmask or standard slash notation to specify a range of IP address. For example, if we wanted to open our firewall to all incoming packets from the complete 192.168.0.x (where x=1 to 254) range, we could use either of the following methods:
# Accept packets from trusted IP addresses
 iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT  # using standard slash notation
 iptables -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT # using a subnet mask

Finally, as well as filtering against a single IP address, we can also match against the MAC address for the given device. To do this, we need to load a module (the mac module) that allows filtering against mac addresses. Earlier we saw another example of using modules to extend the functionality of iptables when we used the state module to match for ESTABLISHED and RELATED packets. Here we use the mac module to check the mac address of the source of the packet in addition to it's IP address:
# Accept packets from trusted IP addresses
 iptables -A INPUT -s 192.168.0.4 -m mac --mac-source 00:50:8D:FD:E6:32 -j ACCEPT

First we use -m mac to load the mac module and then we use --mac-source to specify the mac address of the source IP address (192.168.0.4). You will need to find out the mac address of each ethernet device you wish to filter against. Running ifconfig (or iwconfig for wireless devices) as root will provide you with the mac address.
This may be useful for preventing spoofing of the source IP address as it will allow any packets that genuinely originate from 192.168.0.4 (having the mac address 00:50:8D:FD:E6:32) but will block any packets that are spoofed to have come from that address. Note, mac address filtering won't work across the internet but it certainly works fine on a LAN.






References
http://www.cyberciti.biz/faq/rhel-fedorta-linux-iptables-firewall-configuration-tutorial/
http://leepfe.tistory.com/139
http://l2j.co.kr/1419
http://blog.naver.com/PostView.nhn?blogId=nawoo&logNo=80150436796
http://wiki.centos.org/HowTos/Network/IPTables (Best!!)

2012년 11월 11일 일요일

Start Small, Stay Small - A Developer's Guide to Launching a Startup

Start Small, Stay Small - A Developer's Guide to Launching a Startup

이 책은 한방/대박을 꿈을 쫓던 벤쳐신화 -  획기적인 아이디어를 개발하기 위해 다니던 회사를 그만두고, 친구 몇몇과 밤새워 몇 달간 개발하고, 벤쳐캐피탈에서 투자금을 지원받아 큰 성공을 꿈꾸는 - 에서 벗어나게 해준다. 어떻게 개발자가 작은 기업가로 탈바꿈할 수 있는지를 사례와 자료를 통해 설명한다.


The book web site: www.startupbook.net
저자 웹 사이트: http://www.softwarebyrob.com. Startup에 대한 많은 글을 올려 놓았다.















Chapter 1. The chasm between developer and enterpreneur


enterpreneur is visionary
- see the potential in an idea
- create a viable business from nothing

In this book, two types of enterpreneurs are covered:
  • Micropreneurs
    - want to remain solo. No employees.
    - sample: Ruben Gamez - www.bitsketch.com
  • Bootstrapers
    - larger thant micro. 5~10 employees.
    - Grows company to survive.
    - sample: Harry Hollander - www.moraware.com
Anti-everyone-thinking-venture-capital-is-the-only-way-to-startup.


Self-funded startup entrepreneur
  • technical visionary who creates s/w for a niche market
    - genius of niches is too small for large competitors
  • merges existing technical knowledge with onlne marketing knowledge.
  • across between a developer, webmaster and marketer.
    - Product Last, Marketing First
Starting for right reasons
  • Having a product idea
    - project: s/w applicaiton that you build as a fun side project. code is fun to write bcz you're not concered about quality
    - product: a project that people will pay money for.
  • To Get Rich
  • Because it sounds like fun
The power of golas
  • Written goals
    "Those who wrote their goals accomplished significantly more that those who did not wirte their goals."
  • Public Commitment
    "...those who sent their commitments to a friend accomplished significantly more that those who wrote action commitments or did not write their goals."
  • Accountability
    "... those who sent weekly progress reports to their freind accomplished significantly more more than those who had unwrittten goals."
One short-term goal
Strive to build a startup that generates $500 per month in profit

There is no sinle path to success. The second two items, public commitement and accountability can be achieved by interacting with a community such as meetup groups(www.meeup.com) or online community (www.micropreneur.com).


  • Niche Brainstorming & Mental Evaluation
  • Niche Evaluation
  • Niceh Selection
  • Product Selection
  • Product Architecture
  • Functironal Design
  • Database Design
  • Graphic Design
  • HTML/CSS
  • UI Developement (AJAX/JS)
  • Business Tier Development
  • Database Development
  • Creating Unit Tests
  • Creating UI Tests
  • Manual Testing
  • Fixing Post-Launch Bugs
  • User Documentation
  • Installation Documentation
  • Sales Website Site Map Creation
  • Sales Website Copywriting
  • Sales Website Graphic Design
  • Sales Website HTML/CSS
  • Sales Website Programming
  • Sales Websie Payment Integration
  • Product Delivery (via email, link on site, etc..)
  • Setting Up Email List
  • Setting Up Domain Name & Web Hosting
  • Setting Up Email Accounts & 800 Number(toll free number 우리의 080)
  • Setting Up Analytics
  • Pre-Launch Search Engine Optimization
  • Pre-Launch Pay-Per-Click Set-up
  • Initial Social Media / Viral Marketing
  • Pre-Launch Video Marketing
  • Pre-Launch Partnerships
  • Launch Press Release
  • Pre-Launch Email Marketing
  • Pre-Launch Blogging or Podcasting
  • Etc
    Infra on AWS or Web Hosting
Hiring a virtual assistant (VA) from the online site such as www.elance.com, www.guru.com

Dollarizing your time

  • Your time is worth $50 /hour is the first step
Keep work and play separte
"Work hard and play hard, but never do both at once"
- Wasting time is bad. Boring movies, bad TV, pointless web surfing are expensive propositions. If you aren't enjoying something, stop doing it.

Information consumption is only good when it produces something
"When reading blogs or books or listening to podcast or audio books, take action notes."

Transitioning from developer to entrepreneur
  • Being a good technician is not engough
    - archtypes of running a business: enterpreneur, manager, technician
    - Without planning, organizing, systematizing, outsourcing, and marketing, all things you will shy away from as a technician, you will never make it past the $25/hour pit that many startups fall into.
  • Market comes first, Marketing second, Aesthetic third, and Functionality a distant fourth
  • Things will never be as clear as you want them to be
    - the compiler behaves the same way but market doesn't.
  • You can't specify everything, but you need a plan
  • You need to fail fast and recover
  • You will never be done
  • Don't expect instant gratification
  • Process is king (detail in chapter 6)
  • Nothing about a startup is one-time effort


Chapter 2. Why niches are the name of the game 


  • Members of a vertical have similar behavior
    - e.g. pool cleaner, countertop installer, web designer
  • Members of a vertical talk to one another
  • Members of a vertical "Hang out" together
  • Members of a vertical have similar needs

Conversion Rates
- e.g FeedShot , Just Beach Towels, DotNetInvoice


How to find the niches
  • Look at all areas of your life
  • Look at occupations
    - http://en.wikipedia.org/wiki/List_of_occupations
    - http://www.bls.gov/news.release/ocwage.t01.htm
  • Cheat
    - www.entrepreneur.com/businessideas/ (Categories -> Online Businesses)
    - www.sixmonthmba.com/2009/02/999ideas.html
    - www.ahbbo.com/ideas.html
    - ycombinator.com/ideas.html
    - astartupaday.wordpress.com
    - ideas.4brad.com
    - www.ideaisqueen.com/wordpress
    - www.ideatagging.com
    - springwise.com
    - www.trendwatching.com
    - www.coolbusinessideas.com

  • www.bls.gov
  • www.economy.com/freelunch/default.asp
  • www.ilo.org/dyn/lfsurvey/lfsurvey.home
  • laborsta.ilo.org
  • www.ls.gov/bls/other.htm#International

Conferences
  • businessofsoftware.org
  • lessconf.lesseverything.com
  • futureofwebapps.com - a worldwide conf for web developers and entrepreneurs
Meetups
  • www.meetup.com
  • thestartupdigest.com
Blogs
  • onstartups.com
  • www.kalzumeus.com
  • blog.asmartbear.com
  • steveblank.com
  • www.startuplessonslearned.com
  • www.singlefounder.com
  • www.paulgraham.com/articles.html
Online communities
  • www.micropreneur.com
  • answers.onstartups.com
  • www.startuptodo.com
  • discuss.joelonsoftware.com/?biz
Podcasts
  • mixergy.com
  • www.startupfortherestofus.com
  • web20show.com
  • 37signals.com/podcast
  • startuppodcast.wordpress.com
Traffic stats - use Google Analytics


References

Book - Micro ISV
www.micropreneur.com/: micropreneur academy
http://www.sourcegear.com/vault/
http://www.fogcreek.com/fogbugz/
http://basecamp.com/
www.slimtimer.com