I'm trying to host my ServiceStack service in a console host.
I need the ability to launch my service without administrative privileges. But when I try to do this, I get an exception "Access is denied. An unhandled exception of type 'System.Net.HttpListenerException' occurred in ServiceStack.dll".
There's seems to be a solution for Web
API
but I haven’t found such for ServiceStack.
I tried to do this using
restrict
attributes
with no success.
I also tried solution from
here, but this command
requires user to have administrative privileges.
Is there any way to launch my ServiceStack self-hosted app without administrative privileges?
To get ServiceStack running without administrative privileges you need to ensure that:
The host protocol is http
The hostname you use can only be localhost
You use a port number higher than 1024
So for example these hosts can be created without administrative privileges:
http://localhost:8000
http://localhost:8080
http://localhost:1050 ... etc.
Hostnames using wildcards, domains other than localhost, ports lower than 1024 or https require admin rights, unless a rule has been granted using netsh on Windows, or httpcfg on mono platforms.
http://localhost:80
http://+:8080
http://*:8080
http://domain.com:8080
http://domain.com:80
https://localhost:8080
Related
I am not able to SSH into my GCP server . I have been getting Permission denied (publickey). I have tried by deleting all SSH keys, restarting the server, increased storage, up-used startup script, and tagged new firewall rules also but still unable to SSH into my server.
This document describes common errors that you may run into when connecting to virtual machine (VM) instances using SSH, ways to resolve errors, and methods for diagnosing failed SSH connections.
This error can occur for several reasons. The following are some of the most common causes of this error:
You used an SSH key stored in metadata to connect to a VM that has OS Login enabled. If OS Login is enabled on your project, your VM doesn't accept SSH keys that are stored in metadata. If you aren't sure if OS Login is enabled.
To resolve this issue, try one of the following:
Connect to your VM using the Google Cloud console or the Google Cloud CLI.
Add your SSH keys to OS Login
Disable OS Login.
Or
You can check this documentation as to how the same concern was resolved.
I just got the bellow mail from Amazon, The instance have ubuntu as os and have ldap and apache2 installed,
LDAP Server is only used by one other instance, to auth it users(just ubuntu users) nothing else use the LDAP Authentication
Apache2 only have phpldapadmin and most of the time is down(start it when I need to make change to ldap)
I have tried to check the syslog and auth.log, cannot find any successful login attempt expect for mine (same user, key and IP ).
The report was sent while we were conducting a stress test about 1000 req/sec on a web app hosted on tomcat6 on the machine (the one that uses the LDAP Server to authentication) and the type of request that was used in the stress test doesn't require any type of authentication only load data from db and return a json array
we have only ssh,ldap and http open for LDAP Server machine(with the issue)
Question is: * How to find out the cause of the outbound traffic? Can the stress test cause this or is it just coincidence ? *
Dear Amazon EC2 Customer,
We've received a report that your instance(s):
Instance Id: xxx
has been making Denial of Service attacks against remote hosts on the Internet; check the information provided below by the abuse reporter.
This is specifically forbidden in our User Agreement: http://aws.amazon.com/agreement/
Please immediately restrict the flow of traffic from your instances(s) to cease disruption to other networks and reply this email to send your reply of action to the original abuse reporter. This will activate a flag in our ticketing system, letting us know that you have acknowledged receipt of this email.
It's possible that your environment has been compromised by an external attacker. It remains your responsibility to ensure that your instances and all applications are secured. The link http://developer.amazonwebservices.com/connect/entry.jspa?externalID=1233
provides some suggestions for securing your instances.
Case number: 000000-0
Additional abuse report information provided by original abuse reporter:
Destination IPs:
Destination Ports:
Destination URLs:
Abuse Time: Fri Jan 01 05:27:00 UTC 2016
Log Extract:
<<<
It has come to our attention that Denial of Service (DoS) attacks were launched from your instance to IP(s) 162.159.9.138 via TCP port(s) 53. Please investigate your instance(s) and reply detailing the corrective measures you will be taking to address this activity.
In the meantime, we have restricted network access to only inbound TCP ports 22 and 3389 on the instance(s) to prevent further abuse.
If you believe that you were compromised by an external attacker, the best recourse is to back up your data, migrate your applications to a new instance, and terminate the old one. Attempting to repair a compromised instance does not guarantee a successful cleanup in most cases. We recommend reviewing the following resources to ensure your EC2 environment is properly secured:
Amazon EC2 Security Groups User Guide:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
AWS Security Resources:
http://aws.amazon.com/security/security-resources/
AWS Security Best Practices:
https://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf
I am unable to access AWS Elasticsearch Kibana with a browser.
I have set up an Elasticsearch instance within my VPC exactly as described here;
https://aws.amazon.com/blogs/aws/amazon-elasticsearch-service-now-supports-vpc/
I used the default IAM access policy template which is basicaly all current IAM profiles (*)
My EC2 webapp (xenforo forum) is happily connected and chugging away.
I would like to access my elasticsearch domain kibana endpoint via browser from my home PC.
The security group I attached to the cluster configuration includes a rule to allow ALL TCP inbound from my home broadband fixed IP address.
I log into the AWS console, click the Kibana link from the elasticsearch domain overview and... nothing, times out.
I have read everything I can find on the matter. No joy - except perhaps I should be signing my https requests as well which seems crazy complicated and my understanding is that IP access should be configurable with security groups?
Can anyone clarify?
to access Kibana, it seems the only way is pass proper header with your requests to.
We solved it by using https://github.com/abutaha/aws-es-proxy - its not niciest, but works for us.
requires to have aws-cli installed
requires to do bit of setup, but works well afterwards
hope it helps
Hi There are many ways to access Kibana here are some of them that I found:-
Use an SSH tunnel. For information on how to do this :- https://aws.amazon.com/premiumsupport/knowledge-center/kibana-outside-vpc-ssh-elasticsearch
Advantages: Provides a secure connection over the SSH protocol. All connections use the SSH port.
Disadvantages: Requires client-side configuration and a proxy server.
Use an NGINX Proxy. For information on how to do this, please visit reference :- https://aws.amazon.com/premiumsupport/knowledge-center/kibana-outside-vpc-nginx-elasticsearch
Advantages: Setup is easier, because only server-side configuration is required. Uses standard HTTP (port 80) and HTTPS (port 443).
Disadvantages: Requires a proxy server. The security level of the connection depends on how the proxy server is configured.
I have setup an appfabric(v1.1) cache server. The service is running under a service account and cluster configs are stored in SQL Server. the service account has rights on the sql server and able to configure successfully.
The admin console ,when opened with the service account user, is able to access cache.
But the problem is when i tried to connect to this caching service from a different machine, it is unable to connect.
ErrorCode<ERRCA0017>:SubStatus<ES0006>:There is a temporary failure. Please retry later
When i tried with xml configuration in a file share and service running in "NetWorkService" account, i was able to connect.
Following settings are verified on caching server.
Service is up and running on port 22233.
Firewall is turned off.
The client machine is granted permission to access cache cluster.
Running AppFabric cache as anything other than a “Network Service” is not supported.
Here’s the official documentation that hints at the limitation:
The Caching Service is installed to run under the Network Service
account. This means that for operations over the network, the Caching
Service uses the security credentials of the cache server's domain
computer account. The Caching Service uses the lower-privileged
Network Service account to help mitigate the damage that could be
caused by malicious attacks
But if you don’t find that convincing there’s this forum post from a MS person:
Velocity service running as Domain User is NOT supported.
If you think this is a horrible limitation… I agree with you.
AppFabric cache is a 100% WCF implementation. When I ran into this problem, I turned on WCF tracing and found the exception “The target principle name is incorrect”. AppFabric cache does not expose the ability to configure the principle.
In my testing with the cache running under a domain account, I found that if I called the cache across a domain boundary: It worked. If I called it from within the same domain it failed. My infrastructure guy said that the behavior made sense to him based on how credentials were presented in the different scenarios.
anyone else check out this:
http://blogs.msdn.com/b/appfabriccat/archive/2010/11/03/appfabric-cache-cache-servers-and-cache-clients-on-different-domains.aspx
caused me such a headache.
basically had to update my host file with the IP address and the actual servername of my AppFabric server.
and this resolved the error i was getting
Have a two host AppFabric setup. Both hosts are Win2k8 standard and are running the 32 bit version of AppFabric. The entire system has a backing SQL server store that has the AppFabric database store. Connectivity is not an issue between the systems, verified independently.
When I start the cache-cluster I get this error:
(AppFabric Caching service crashed with exception {Microsoft.ApplicationServer.Caching.ConfigStoreException: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON')
It appears that AppFabric is unable to impersonate the user it is running / configured with into SQL server. We have configured accounts for the domain user that will run AppFabric, also accounts for the machines. Any help is appreciated, we've been stuck on this for a while now.
This is probably checking things you've already been through but let's see if we can rule a few things out first.
Can you confirm that:
the domain account isn't locked out for some reason, has a non-expiring password etc
the AppFabric Caching service is configured (on both servers) in the Services Control Panel applet to run under the domain account you've created
the domain account has access to SQL Server and the AppFabric config database
Can you start either cache server individually?
Domain Account Configuration is not supported in V1.0. Only Network Service can be configured in V1.0.
Let me see if I have understood the problem correctly.
Configuration: AppFabric 1.0 installed with SQL server config store. All other default configurations.
Symptom: Service does not start on the machines due to sql server connection error.
If the above is correct, you can try the following:
Issue: The AppFabric Service runs as network service on the server mahcines for security reasons. When the service tries to access the sql server config store, it sees a permission issue.
Resolution: Give permission for the NT service / Machine$ account for all the server nodes on the sql server for the config store db.
Let us know if this solves the issue.