AWS S3 : Limiting Access from Certain IP's

We need to our nodes to connect to S3 from a single IP address, an elastic IP attached to our gateway node.

So - based on this design, we needed a way to only allow access to a set of buckets from this single IP address. For example purposes we are using the IP of 72.309.38.2.

IF you were to follow the initial example laid out by the AWS documentation - you’ll end up with a policy that probably looks similar to this.

{
    "Id": "S3PolicyId1",
    "Statement": [
        {
            "Sid": "IPAllow",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::my-wicked-awesome-bucket/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "72.309.38.2/32"
                }
            }
        }
    ]
}

What you’re going to find, after banging your head on the table a few times, is that this policy does not work. There does not appear to be an implied deny rule with S3 buckets (similar to how IAM access policies are setup). I did my testing with the s3-curl command - When you have that tool setup - you can make a query like the following:


./s3curl.pl --head --id=AKIAYOURACCESSKEY --key=YourSecretKey -- https://s3.amazonaws.com/my-wicked-awesome-bucket/even-more-awesome.file
Using the policy above - returned this:

HTTP/1.1 200 OK
x-amz-id-2: BLPqeibX8nZGnSDNi9zRhb+6a8fDiOW6Ij1OXhadWknJKCX9WAb7x1xNETvdXAEv
x-amz-request-id: F6AF36D912E6003B
Date: Fri, 27 Apr 2012 00:25:52 GMT
Last-Modified: Tue, 17 Apr 2012 17:50:11 GMT
ETag: "8553074962ba71d8b2b600b971ba80a8"
Accept-Ranges: bytes
Content-Type: application/pdf
Content-Length: 1451065
Server: AmazonS3
After troubleshooting this with the AWS support team - they let me know of the following:

By default accounts are restricted from accessing S3 unless they have been given access via policy. However, S3 is designed by default to allow any IP address access. So to block IP's you would have to specify denies explicitly in the policy instead of allows.

Once I learned this - the policy was easy to adjust. I flipped around the policy from allowing access from only my IP address to denying access from everywhere that was NOT my IP address.

My new policy looked like this:

{
    "Id": "S3PolicyId1",
    "Statement": [
        {
            "Sid": "IPDeny",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::my-wicked-awesome-bucket/*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": "72.309.38.2/32"
                }
            }
        }
    ]
}

And when I ran my s3-curl command again - I now received the following response.

HTTP/1.1 403 Forbidden
x-amz-request-id: 3B90483F655AA692
x-amz-id-2: 0XEO2miEzZEwbU2N5zPwzLtX4J7BJx/LLXpvSLPpQ7e2wuocx49katsD+ZcqwYA7
Content-Type: application/xml
Transfer-Encoding: chunked
Date: Fri, 27 Apr 2012 00:27:14 GMT
Server: AmazonS3

How to Block Emails Containing Specific Words Using Exim System Filter

Spam and unwanted commercial messages are a major headache. While many server-level spam filters exist, sometimes you need a quick, custom way to block messages based on specific keywords in the email body. This is especially useful for filtering out recurring spam topics.

This guide explains how to use the built-in Exim System Filter in cPanel/WHM to immediately reject emails (both inbound and outbound) that contain a word you specify, like "Viagra."

---

STEP 1: ENABLE THE SYSTEM FILTER

The first step is to tell your server's mail transfer agent (Exim) to check a special system-wide filter file before processing any email.

1. Log in to WHM (WebHost Manager).

2. Navigate to the Exim Configuration Manager. (Usually found under "Service Configuration" or by searching for "Exim" in the search bar.)

3. Find the System Filter setting. (It may be in the "Advanced Editor" or a specific tab.)

4. Enable /etc/cpanel_exim_system_filter. You must select the option that tells Exim to use this specific file path for its system-wide filtering rules.

5. Save your changes and allow Exim to restart.

---

STEP 2: EDIT THE SYSTEM FILTER FILE

Next, you need to add the actual rule to the filter file. This rule checks the email body for your chosen keyword and stops processing the message if a match is found.

1. Access your server's command line via SSH as the root user.

2. Open the filter file for editing: nano /etc/cpanel_exim_system_filter (or use your preferred text editor like vi/vim).

3. Add the following code block to the file:

if $message_body: contains "TEXT" and not error_message
then
  seen finish
endif

4. REPLACE "TEXT" with the word you want to block. This is case-sensitive, so blocking "Viagra" will not block "viagra." For example, to block the word "Viagra":

if $message_body: contains "Viagra" and not error_message
then
  seen finish
endif

---

HOW THE CODE WORKS

This small snippet performs a powerful action:

• if $message_body: contains "Viagra": This is the condition. It checks if the entire body of the email contains the exact text "Viagra."

• and not error_message: This is a safety measure. It ensures the rule doesn't accidentally block automated delivery failure notifications (bounce messages).

• then seen finish: If the condition is met (the word is found), this action tells Exim to immediately stop processing the message. For incoming email, it will be rejected; for outgoing email, it will be discarded before sending.

---

CONCLUSION

By completing these two steps—enabling the filter and adding the rule—you have successfully implemented a server-level block. Your server will now automatically reject or discard any email that contains your specified keyword in the body, providing a simple yet highly effective defense against targeted spam.

Configure MySql and ODBC Connector In Windows 2012 Server

Installing MySql and its ODBC Connector In the Windows 2012 Server

Download The Microsoft Visual C++ 2010 Redistributable
http://www.microsoft.com/en-gb/download/details.aspx?id=14632

Download and install the ODBC Connector
http://cdn.mysql.com/Downloads/Connector-ODBC/5.3/mysql-connector-odbc-5.3.4-winx64.msi

Downoading the MySQL
http://cdn.mysql.com/Downloads/MySQL-5.6/mysql-5.6.26-winx64.zip

c:\mysql>cd bin
c:\mysql\bin>mysqld --install
Service successfully installed.

Go to Services and start the Mysql Services.

c:\mysql\bin>mysql -u root -p
>>No password is needed for first time

Set the root Password
=====================
mysql>
mysql> UPDATE mysql.user SET password=PASSWORD('redhat') WHERE user='root';
Query OK, 3 rows affected (0.00 sec)
Rows matched: 3  Changed: 3  Warnings: 0

mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)

mysql> select user,host from mysql.user;
+------+-----------+
| user | host      |
+------+-----------+
| root | 127.0.0.1 |
| root | ::1       |
|      | localhost |
| root | localhost |
+------+-----------+
4 rows in set (0.00 sec)


mysql> delete from mysql.user where user='';
Query OK, 1 row affected (0.00 sec)

mysql> select user,host from mysql.user;
+------+-----------+
| user | host      |
+------+-----------+
| root | 127.0.0.1 |
| root | ::1       |
| root | localhost |
+------+-----------+
3 rows in set (0.00 sec)


mysql> create database fileserver;
Query OK, 1 row affected (0.01 sec)

mysql>GRANT ALL PRIVILEGES ON fileserver.* TO 'fileserver'@'localhost' IDENTIFIED BY 'fileserver';
Query OK, 0 rows affected (0.02 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.02 sec)

mysql>