I have a EC2 machine in public Subnet, In Security group I have only opened 22 port for my public static IP. How safe is it?
As per your comment
if i keep open security group for certain IPs, I am quite unsure
whether it is safe or not because there are multiple Hops b/w that IPs
and AWS IPs(packet data travels through it). am i correct ? and that
application can be accessible from that Hops?
It is absolutely safe to use the ssh port unless there is a vulnerability found in the future in the ssh protocol itself.
Firstly, you are restricting the access only from a static IP so no one else should be able to initiate the ssh session from any other machine.
Secondly, if you have protected your ssh private key and it is not shared then anyone else from the same static IP wouldn't be able to start an ssh connection.
Thirdly, ssh connection creates a secure encrypted data pipe between the client and servers, so even if someone tries to sniff the packets as it passes through different hops, it is hard to make any sense as all the data is encrypted.
Considering all of the above, in my opinion it is quite safe.
Related
I have a database set up (use RDS) in a private subnet, and a bastion is set up in front of it in a public subnet. The traditional way to access this database from local laptops is to set up an ssh tunnel on that bastion/jumpbox and map the database port to local. But this is not convenient to development because we need to set up that tunnel everytime before we want to connect. I am looking for a way to access this database without setting up an ssh tunnel first. I have seen a case where the local laptop directly uses that bastion's ip and its 3306 port to connect to the database behind. I have no idea how it is done.
BTW, in that case I saw, they don't use port forwarding because I didn't find any special rules in the bastion's iptable.
There are several ways to accomplish what you are trying to do, but without understanding the motivation fully it is hard to say which is the "Best Solution".
SSH Tunneling is the defacto standard of accessing a resource in a private subnet behind a public bastion host. I will agree that SSH Tunnels are not very convenient, fortunately, some ide's and many apps are available to make this as easy as a click of a button once configured.
Alternatively, you can set up a client to site VPN to your EC2 environment which would also provide access to the private subnet.
I would caution anything you do which proxies or exposes the DB cluster to the outside world in a naked way such as using IP tables, Nginx, etc. should be avoided. If your goal is this, then the correct solution is to just make the DB instance publicly exposed. But be aware any of these solutions which do not make use of tunneling in (such as VPN or SSH Tunnel) would be an auditory finding, and open your database to various attack vectors. To mitigate it would be recommended that your security groups should restrict port 3306 to the public IP's of your corporate network.
I am trying to set up a bastion host in AWS in order to perform administrative options on an RDS instance in a private subnet. I am following the instructions from the official documentation (https://docs.aws.amazon.com/quickstart/latest/linux-bastion/step1.html), but there it is not clear how the bastion will know which RDS instance to connect to. How would I make sure that it can 'talk to' my intended RDS? (as far as I understand, the key pair is just something I can create anytime and enter to connect to the bastion itself, but not the RDS, or am I wrong?)
The documentation you linked uses an AWS CloudFormation stack to deploy the Bastion. I'm not sure exactly what configuration it is using, so my answer will be generic, rather than applying to this specific situation.
The normal configuration is:
A database in a private subnet
A Bastion server (EC2 instance) in a public subnet
A connection is made to the Bastion, which then allows an on-connection to the database
There are a number of ways of connecting to the database through the Bastion. Here's one that I use:
ssh -i key.pem ec2-user#BASTION-IP -L 3306:DATABASE-DNS-NAME:3306
This tells the SSH connection to forward any traffic sent to my local port 3306 (the first number), through the SSH connection, but then send it to DATABASE-DNS-NAME:3306 (the database server). Any response from the database will come back the same way.
Then, when I wish to refer to the database from my computer, I reference:
localhost:3306
It appears that the database is on my own computer, but the traffic is actually sent across SSH to the Bastion, then onto the database.
There are newer and better ways of doing this forwarding that other people might (hopefully) add as a comment or another answer, but this is the way I make my connections through a Bastion.
Fun fact: A Bastion is the bit of a castle wall that sticks out, allowing defenders to shoot arrows at attackers attempting to climb the wall. In a similar way, the Bastion Server sticks out into the Internet, beyond the protected part of the network.
I have three allowable inbound requests on my Linux EC2 instance.
Type Protocol Port Range Source
SSH TCP 22 [my ip address]
Custom TCP Rule TCP 8787 0.0.0.0/0
Custom TCP Rule TCP 3838 0.0.0.0/0
The first is my IP address and the other two are for RStudio Server. My understanding is that, even though it is set for RStudio Server, anyone can make inbound requests since the source is open.
Nobody can access my EC2 instance without the private key file, which is safe and secure.
Given that, why does it matter whether my EC2 instance is private?
The private key file is to authenticate you for an ssh session (or to retrieve the password for a Windows EC2 instance).
If a port is accessible to the public, and an application is listening on that port someone may be able to exploit a vulnerability in that application and compromise your EC2 instance.
Even if only the ssh port is open to public but no one other than you has the private key, it's possible (theoretically) for someone to brute force ssh (although not practically possible).
I want to set the security groups for the web server running in aws instance.My website should be accessible to through http/https. But file modification access to be set to particular IP address.I am currently connected to a Wifi router, and as I know IP that my PC assigned changes everytime.
Can someone please guide me on how to get a static IP address that I can allow access to my website.Thanks in advance.
You would need to see if you ISP can sell you a static IP - it's not always possible. I can't get one from my ISP when working from home, your ISP may be different for example.
However, if it is just you that needs static IP address (i.e. you as the developer/admin as opposed to users in the public), it is only a few clicks of the mouse to update the security rule thru the aws console each time you need elevated access. I do this for several servers running on EC2 which I keep locked down, and when I need to RDP into them, I open up the security groups to just my (dynamic) IP, and remove the rule when I am done - this will work if you only occasionally need access. You could also automate this process using a little scripting and/or lambda function.
Other option that I also do: I have an service that I need to access continually from a static IP - I use an another EC2 instance (with fixed IP) as the whitelist IP for this, and then I connect to that services by first connecting via RDP to the EC2 instance - and the EC2 instance with the fixed IP then accesses the service using its static IP.
You first have to know if your external IP changes if so you have to ask your ISP to change your IP to a static one
If it's the internal IP the one that changes but the external IP is the same you will have no problem accessing the aws.
I have created a VPC with public and private subnets on AWS. All app servers are in private subnets and all outbound requests have to be through an internet-facing NAT instance.
At the moment, our project requires the app servers to access a ftp server provided by a service provider.
I have tried several ways to manage that, but all no luck. What I have done was to open a port range, let's say (40000 - 60000) on both NAT and APP security groups, also standard ftp ports 20 - 21 as well.
The user authentication can be passed, but I could not list contents from app servers.
I am able to access the ftp server from NAT, not problem at all.
So what should I do to make it work?
#JohnRotenstein is absolutely correct that you should use Passive FTP if you can. If, like me, you're stuck with a client who insists that you use Active FTP because their FTP site that they want you to connect to has been running since 1990 and changing it now is completely unreasonable, then read on.
AWS's NAT servers don't support a machine in a private subnet connecting using Active FTP. Full stop. If you ask me, it's a bug, but if you ask AWS support they say it's an unsupported feature.
The solution we finally came up with (and it works) is to:
Add an Elastic Network Interface (ENI) in a public subnet on to your EC2 instance in the private subnet
So now your EC2 instance has 2 network adapters, 2 internal IPs, etc.
Let's call this new ENI your "public ENI"
Attach a dedicated elastic IP to your new public ENI
Let's assume you get 54.54.54.54 and the new public ENI's internal IP address is 10.1.1.10
Add a route in your operating system's networking configuration to only use the new public ENI
In windows, the command will look like this, assuming the evil active ftp server you're trying to connect to is at 8.1.1.1:
route add 8.1.1.1 mask 255.255.255.254 10.1.1.1 metric 2
This adds a route for all traffic to the FTP server at 8.1.1.1 using subnet mask 255.255.255.254 (ie. this IP and only this IP) should go to the internet gateway 10.1.1.1 using ethernet adapter 2 (your second NIC)
Fed up yet? Yeah, me too, but now comes the hard part. The OS doesn't know it's public IP address for the public EIN. So you need to teach your FTP client to send the PORT command with the public IP. For example if using CURL, use the --ftp-port command like so:
curl -v --ftp-port 54.54.54.54 ftp://8.1.1.1 --user myusername:mypass
And voila! You can now connect to a nightmare active FTP site from an EC2 machine that is (almost entirely) in a private subnet.
Try using Passive (PASV) mode on FTP.
From Slacksite: Active FTP vs. Passive FTP, a Definitive Explanation:
In active mode FTP the client connects from a random unprivileged port (N > 1023) to the FTP server's command port, port 21. Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The server will then connect back to the client's specified data port from its local data port, which is port 20.
Thus, the traffic is trying to communicate on an additional port that is not passed through the NAT. Passive mode, instead, creates an outbound connection, which will then be permitted through the NAT