I have a Static Public IP RDP Windows server I want to host through GCP,so as to get the Security Feature to secure my server from RDP Attack and other...
What to Do ?
Since your question is very broad I can only suggest to improve your servers's security:
Go to your firewall settings in GCP console and set check/set up some rules:
limit the number of IP's able to connect via RDP (leave just the ones you need)
make sure ICMP response is turned off
block all TCP/UDP ports and leave only the ones you use (like RDP)
You can check what rules are already in place when you create your VPC (in automatic mode you get some prepoulated rules that allow to ping or rdp to an instances).
Lastly - - install all the latest updates on the server - it will also improve the security of your VM/
You can read more for example here - how to harden your 2016 machine.
These are just simple rules to make your machine much more secure. If you want more detailed solution then update your question and put some more details about your use case.
Related
I want to install MobSF to test every my mobile apps that I develop before.
Since I don't have many environment in my local PC, so I create a compute engine in GCP.
All installation is running well and completed.
My problem is, I can't access MobSF via external/public IP from GCP.
when I ping to my external IP, it's no problem.
I think this problem caused by firewall configuration that I must open port 8000.
But I don't know how to create correct firewall setting.
I was try to create before, but still failed.
If you simply want to open port 8000 to the world, you can create a firewall rule as below (considering you are using the default vpc):
gcloud compute firewall-rules create "allow8000" --allow=tcp:8000
--source-ranges="0.0.0.0/0" --description="Allow 8000 external"
Ref: https://cloud.google.com/sdk/gcloud/reference/compute/firewall-rules/create
Edit: if you want to do a more granular firewall control to specify only one compute engine (the one you mentioned) you need either use network tags or allow only the private IP of that instance.
Also, I just noticed that you've started the app with the loopback address. Have you tried to start it up to listen to all interfaces "0.0.0.0"?
It is more likely that you might have not checked the ‘Allow HTTP traffic’ box of Firewall while creating the Virtual machine. If so, please follow the below mentioned steps and then try accessing your application from the web browser.
Click on the VM name
In the VM instance details page, click on EDIT button
Select the ‘Allow HTTP traffic’ under firewalls option and save.
AWS and network noob. I've been asked to migrate QuickBooks Desktop Enterprise to AWS. This seems easy in principle but I'm finding a lot of conflicting and confusing information on how best to do it. The requirements are:
Setup a Windows Server using AWS EC2
QuickBooks will be installed on the server, including a file share that users will map to.
Configure VPN connectivity so that the EC2 instance appears and behaves as if it were on prem.
Allow additional off site VPN connectivity as needed for ad hoc remote access
Cost is a major consideration, which is why I am doing this instead of getting someone who knows this stuff.
The on-prem network is very small - one Win2008R2 server (I know...) that hosts QB now and acts as a file server, 10-15 PCs/printers and a Netgear Nighthawk router with a static IP.
My approach was to first create a new VPC with a private subnet that will contain the EC2 instance and setup a site-to-site VPN connection with the Nighthawk for the on-prem users. I'm unclear as to if I also need to create security group rules to only allow inbound traffic (UDP,TCP file sharing ports) from the static IP or if the VPN negates that need.
I'm trying to test this one step at a time and have an instance setup now. I am remote and am using my current IP address in the security group rules for the test (no VPN yet). I setup the file share but I am unable to access it from my computer. I can RDP and ping it and have turned on the firewall rules to allow NB and SMB but still nothing. I just read another thread that says I need to setup a storage gateway but before I do that, I wanted to see if that is really required or if there's another/better approach. I have to believe this is a common requirement but I seem to be missing something.
This is a bad approach for QuickBooks. Intuit explicitly recommends against using QuickBooks with a file share via VPN:
Networks that are NOT recommended
Virtual Private Network (VPN) Connects computers over long distances via the Internet using an encrypted tunnel.
From here: https://quickbooks.intuit.com/learn-support/en-us/configure-for-multiple-users/recommended-networks-for-quickbooks/00/203276
The correct approach here is to host QuickBooks on the EC2 instance, and let people RDP (remote desktop) into the EC2 Windows server to use QuickBooks. Do not let them install QuickBooks on their client machines and access the QuickBooks data file over the VPN link. Make them RDP directly to the QuickBooks server and access it from there.
I recently start using GCP but i have one thing i can't solve.
I have: 1 VM + 1 DB Instance + 1 LB. DB instance allow only conections from the VM IP. bUT THE VM IP allow traffic from all ip (if i configure the firewall to only allow CloudFlare and LB IP's the website crash and refuse conections).
Recently i was under attack, i activate the Cloudflare ddos mode, restart all and in like 6 h the attack come back with the Cloudflare activate. Wen i see mysql conections bump from 20-30 to 254 and all conections are from the IP of the VM so i think the problem are the public accesibility of the VM but i don't know how to solved it...
If i activate my firewall rules to only allow traffic from LB and Cloudflare the web refuses all conections..
Any idea what i can do?
Thanks.
Cloud Support here, unfortunately, we do not have visibility into what is installed on your instance or what software caused the issue.
Generally speaking you're responsible for investigating the source of the vulnerability and taking steps to mitigate it.
I'm writing here some hints that will help you:
Make sure you keep your firewall rules in a sensible manner, e.g. is not a good practice to have a firewall rule to allow all ingress connections on port 22 from all source IPs for obvious reasons.
Since you've already been rooted, change all your passwords: within the Cloud SQL instance, within the GCE instance, even within the GCP project.
It's also a good idea to check who has access to your service accounts, just in case people that aren't currently working for you or your company still have access to them.
If you're using certificates revoke them, generate new ones and share them in a secure way and with the minimum required number of users.
Securing GCE instances is a shared responsability, in general, OWASP hardening guides are really good.
I'm quoting some info here from another StackOverflow thread that might be useful in your case:
General security advice for Google Cloud Platform instances:
Set user permissions at project level.
Connect securely to your instance.
Ensure the project firewall is not open to everyone on the internet.
Use a strong password and store passwords securely.
Ensure that all software is up to date.
Monitor project usage closely via the monitoring API to identify abnormal project usage.
To diagnose trouble with GCE instances, serial port output from the instance can be useful.
You can check the serial port output by clicking on the instance name
and then on "Serial port 1 (console)". Note that this logs are wipped
when instances are shutdown & rebooted, and the log is not visible
when the instance is not started.
Stackdriver monitoring is also helpful to provide an audit trail to
diagnose problems.
You can use the Stackdriver Monitoring Console to set up alerting policies matching given conditions (under which a service is considered unhealthy) that can be set up to trigger email/SMS notifications.
This quickstart for Google Compute Engine instances can be completed in ~10 minutes and shows the convenience of monitoring instances.
Here are some hints you can check on keeping GCP projects secure.
I didn't find such guide or articles how to do it for ElasticSearch hosted on Windows server.
I have the EC2 amazon windows instance which running ElasticSearch server on port 9200, but I can't achieve it by _ec2_ip_adress:9200 outside the server.
I completely sure that all TCP ports are opened in amazon security group rules, I've turned off the firewall on the server as well.
So that is the problem in ElasticSearch configs.
Can someone help me with that?
Well but you know that then any body would be able to delete/create stuff in your index until you have shield.
If you really want to open it, also make sure that in windows firewall you opened port 9200.
So what i would do i would probably restrict in firewall on in Amazon access to this port for specific IPs (Actually in my project i am doing that :) )
There is one more thing to check on which IP is runned as soon as i remember ES will run on private IP. Look to network.host default is __local__. Try network.host: 0.0.0.0
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 5 years ago.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Improve this question
I understand that a VPC Amazon instance has the ability to create VPN connections but at a cost of $.05 per hour. Is it possible to create your own VPN on an instance and then route your other instance through this VPN? It seems like it would be more cost efficient? What are the pros/cons?
I understand that a VPC Amazon instance has the ability...
To clarify, your virtual environment in Amazon VPC is typically referred to as "a VPC," not "a VPC instance." A "VPC instance" typically refers to an EC2 instance that is provisioned inside a VPC.
A fixed VPN connection can be provisioned from Amazon VPC to a hardware device at your location, and this incurs the $0.05/hour charge (essentially $37.20/mo) you mentioned. This fee is charged for as long as the the connection is provisioned on the AWS side, whether it is properly configured on your side, and working, or not... because what you are paying for is the use of Amazon's hardware to accommodate the VPN.
To me, this seems like a ridiculously good deal, because my VPC VPN connections -- once established -- pretty much "just work," and if the underlying hardware fails, it seems a reasonable assumption that AWS's proactive monitoring will detect that condition and the hardware would be replaced with no real effort required from me.
But, yes, it's entirely possible to provision a VPN with EC2 instances, but to have a similar level of resiliency compared to what you have if you use the native solution, you would need at least 2 EC2 instances, for failover.
This Amazon article explains how to connect two different VPCs to each other via a VPN using EC2 machines -- since this is not something the native solution supports -- but it does not take much imagination at all to understand how you could use exactly the same logic to tie your corporate network into a VPC with a very comparable design to what's shown here.
The only thing, though, is that the $0.05/hour is cheaper than the price of an on-demand "m1.small" instance, at $0.06/hour, so unless you wanted to prepay for more discounts or try to use "micro" instances to connect your networks together, the native solution provided by VPC seems like a no-brainer.
Understand, though, that the native solution (that is, the VPN service offered by AWS as part of VPC) is only for fixed site-to-site (your-site-to-AWS) connections... it has nothing to do with remote users tunneling into your VPC. For ad-hoc on-demand connections that provide individual users with the ability to tunnel into your VPC, you'd need to roll your own solution.
It possible just install OpenVPN on your NAT instance, for example have a look on article:
Amazon AWS VPC Setting up OpenVPN server
Create an Ubuntu instance
This instance will serve as the OpenVPN server. I am using Ubuntu 12.04 LTS
Set up a VPC security group
Before I can create this instance I need to create a new VPC security group for it.
From the VPN console open Security Groups and click on Create Security Group
Name it openvpn and associate it with your VPC, then click create.
Select the Details tab and make not of the group ID, in this case its
sg-cd7c94a2
Select the Inbound tab and select the SSH rule and click Add Rule.
Select Custom UDP rule set the port range to 1194 for OpenVPN. Click Add Rule.
Select Custom TCP rule and enter 943 for the port range click Add Rule.
Select Custom TCP rule and enter 946 for the port range and click Add Rule
Select HTTPS and click Add Rule
Click Apply Rule Changes.
Here are the Security rules
Select Subnets and copy the ID of the public subnet, in my case its subnet-4c657627
Start the instance
Now start the instance
> ec2-run-instances ami-9c78c0f5 -b /dev/sda1=:8:true -k pats-keypair -t t1.micro -s subnet-4c657627 -g sg-cd7c94a2 --private-ip-address 10.0.0.99 --availability-zone us-east-1a
Change Source /Dest Check
From the EC2 console select the newly made instance and right click and select “Change Source / Dest Check”
Click Yes, Disable
Give it an elastic IP
From the VPC console select Elastic IPs and click Allocate New Address
Make sure its set to VPC and click Yes, Allocate
Click on associate Address
Select the instance that was just created and click on Yes, Associate
SSH into the new instance
To confirm its up and running SSH into this box
> ssh -i .ec2/pats-keypair.pem ubuntu#107.23.79.220
Install OpenVPN
You need to download the OpenVPN software from openvpn.net. This version of the software is free to use for two users, otherwise it costs $5 per user per year, but require a minimum of 10 users so $50 per year, which is not a bad deal. https://openvpn.net/index.php/access-server/pricing.html [2]
From the OpenVPN machine run the following commands
> wget https://swupdate.openvpn.org/as/openvpn-as-1.8.4-Ubuntu10.amd_64.deb
> sudo dpkg –i openvpn-as-1.8.4-Ubuntu10.amd_64.deb
After the install is done you will see the admin web interface address displayed
The admin needs a password for the openvpn user run the following command to set it.
> sudo passwd openvpn
I just set mine to adminpass for test purposes.
Configure OpenVPN
Open up OpenVPN admin web page at
https:// 107.23.79.220 :943/admin
Of course enter your static IP address for it.
You will see something like this, click on proceed anyway
The admin login page will now display. Enter the user name openvpn and the password you assigned to that user, then click Sign in
Click Agree for the license terms
Click on Server Network Settings
Enter the Elastic IP address in the hostname field
Scroll to the bottom of the page and click Save Settings
Click Update Running Server
Click on VPN settings
Scroll down to the routing section and add all your subnets to this section. I only have 2 subnets 10.0.0.0/24 and 10.0.1.0/24
Scroll down and click Save Settings
Click on Update Running Server
Set up Client machine
Open up https:// 107.23.79.220 / in a web browser (change the IP address for your own.
Login as the openvpn user and click go
Click on “Click here to continue” This will download software you need to your system to connect to this VPN
Install the software, on a windows machine you can right click on the download and click Open
Then click Run
This window should pop up, click Yes to create the tunnel.
The web site should now report that it is up.
To test this out I am going to attempt to ssh into my instances
I have the following instances
10.0.0.20
10.0.1.30
10.0.0.25 NAT from aws
10.0.0.99
Test Connection
From my cygwing command line:
ssh -i .ec2/pats-keypair.pem ubuntu#10.0.0.20