Why does it matter if my EC2 instance is publicly available? - amazon-web-services

I have three allowable inbound requests on my Linux EC2 instance.
Type Protocol Port Range Source
SSH TCP 22 [my ip address]
Custom TCP Rule TCP 8787 0.0.0.0/0
Custom TCP Rule TCP 3838 0.0.0.0/0
The first is my IP address and the other two are for RStudio Server. My understanding is that, even though it is set for RStudio Server, anyone can make inbound requests since the source is open.
Nobody can access my EC2 instance without the private key file, which is safe and secure.
Given that, why does it matter whether my EC2 instance is private?

The private key file is to authenticate you for an ssh session (or to retrieve the password for a Windows EC2 instance).
If a port is accessible to the public, and an application is listening on that port someone may be able to exploit a vulnerability in that application and compromise your EC2 instance.
Even if only the ssh port is open to public but no one other than you has the private key, it's possible (theoretically) for someone to brute force ssh (although not practically possible).

Related

Cannot connect to EC2 instance using port other than 22 or ping

I have my EC2 instance security group inbound rule to accept my ip as follows:
Outbound rule as follows:
I can connect to my instance using ssh and also ping my instance from my local machine without any issues.
When I have a server running on my EC2 instance on http protocol in port 9999 I am unable to access this site.
netstat -peanut gives me the following output on the server:
I am not sure why I am not able to access the http page locally? Should anything change in my inbound rule? I tested this on Amazon linux and ubuntu images. Nothing works.
Even though I have opened all ports on my security group aws seems to be allowing me to only access the common ports like 22, 80 and so on.
The only way I could finally access my remote server on port 9999 was by ssh tunneling:
ssh -TNL 9999:127.0.0.1:9999 <user>#<ip-address>

Not able to change port from 80 to any other port in AWS

So i have created an EC2 instance in AWS and i have attached security group for this which has HTTP port 80 which comes by default .
I also has assigned public ip for this instance and which is working fine .
When i change port of my IIS serve to 8080 or 800 or anything page is not able to display .
Even i have changed to Custom TCP rule and given that port but still i am not able to access from outside of AWS .
I have tried accessing using DNS as well .
Can some one help me resolve this ..
To access any port of EC2 instance you must do below things:
On EC2 instance do not enable firewall, instead of this we have AWS service called Security Group which helps us to access respective instance ports as required.
Now, you must have a security group which has Http port 80 and ssh port 22 enabled (port 22 for secure shell), so now you can add port 8080 or any other ports in that list of inbound rules. I have attached screenshot below:
Now, try to access your ports from outside (you can put http://publicIP of ec2 instance:8080 in browser to check if port is accessable from outside), and check if its working fine. Also make sure to have openSSH on machine from where your'e going to access EC2 instance.

AWS Ubuntu instance as proxy

I'm not sure why my browser is timing out when I try to connect to my AWS Ubuntu Instance squid proxy
I want to have my AWS Ubuntu instance act as a proxy for my python requests. The requests I make in my program will hit my AWS proxy and my proxy will return to me the webpage. The proxy is acting as a middleman. I am running squid in this Ubuntu instance. This instance is also within a VPC.
The VPC security group inbound traffic is currently set to
HTTP, TCP, 80, 0.0.0.0/0
SSH, TCP, 22, 0.0.0.0/0
RDP, TCP, 3389, 0.0.0.0/0
HTTPS, TCP, 443, 0.0.0.0/0
and outbound traffic is open to all traffic
This is my current squid configuration is the default squid.conf except that I changed one line to
http_access allow all meaning traffic is open to all.
However when I changed my mozilla browser to use the Ubuntu instance's Public IP and squid.conf default port of 3128, I cannot see any traffic going through my proxy using this command on the ubuntu instance
tail -f /var/log/squid/access.log
My browser actually times out when I try to connect to a website such as google.com. I am following this tutorial but I cannot get the traffic logs that his person is getting.
HTTP/S as shown in security group settings actually has nothing whatsoever to do with HTTP/S.
Many port numbers have assigned names. When you see "HTTP," here, it's only an alias that means "whatever stuff happens on TCP port 80." The list of values only inludes common services and the names aren't always precise compared the official port names, but the whole point is to give neophytes a word that nakes sense.
What should I change? I always thought I should be leaving HTTP/S ports to their default values.
That is not at all what this does. As already inferable from above, changing an "HTTP" rule from port 80 to something else does not change the value for the HTTP port on instances behind it. Changing the port value makes the rule no longer be an "HTTP" rule, since HTTP is just a friendly label which means "this rule is for TCP port 80."
You need a custom TCP rule allowing port 3128 from your IP, and that's it.
You need to add 3128 as custom TCP in your SG. This will allow Squid to send/ receive traffic.
Also as a best practice, make SSH accessible from your own IP rather than public.

Why can't i telnet my aws instance?

Created an AWS AMI instance.
I can telnet from the instance itself
telnet [Pv4 Public IP] 9200
But not from my pc.
This is my security group
What am I doing wrong?
You can check your Network ACL configurations.
It looks like there is some other firewall in between your PC and server which is blocking you on 9200.
If you can access port 80 via telnet or you're able to SSH in it's likely you have a network ACL in place. If you can not access port 80 via telnet but you can via a browser it's like a local config - maybe AV or a firewall.
EC2 instances use security groups for their firewall
Another test to narrow down the the issue would to see if you could telnet from another instances in the same subenet in the same AZ. Being in the same subnet you should not be affected by a network ACL.
You can have a look at this telnet-to a cloud instance from outside
The solution to problem was "Open the services and make the telnet manual and right click on it and chose start"
As well make sure that the instance is residing in a public VPC
Based on what you've described, there isn't really much else to work with. Your ability to telnet the public IP from the instance implies the server is listening on the external interface and your security group is already set to have the port open to all incoming connections.
Aside from the trivial overlooking of not actually having the instance under the listed security group, the only possibility I can think of now is an active firewall on the instance. In the case of iptables or ufw (which is an interface to iptables), it's trivial to verify whether they are indeed getting in the way:
// List iptables access rules
sudo iptables -L -v
// List access rules via ufw
sudo ufw status
You said: "This is my SG", but...which way? Inbound or outbound?
It can simply be that your host can't reply to your PC.
Try to add a rule which adds outbound TCP ranging from ports 32768 to 65535 (ephemeral ports), so that the telnet server response packets can travel back to your PC.
Otherwise, like the others said, look at one level up, VPC-level (network ACL).
You might have your acceptor process running on 127.0.0.1:9000 which means only local clients can connect. This is not related to your Security Group which could be wide open.
Run lsof -i:9000 if on unix.
If you see something like this under NAME then host IP used to start your acceptor will needs to change from 127.0.0.1 to 0.0.0.0 (and secure via SG/FW).
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 2777 ubuntu 148u IPv6 26856 0t0 TCP localhost:afs3-callback (LISTEN)
A Telnet service is not installed by default on an Amazon Linux AMI.
If you wish to use it, you will need to install it yourself, eg: Install and Setup Telnet on EC2 Amazon Linux or CentOS.
However, these days it is recommended to use ssh instead of telnet because it is more secure. See: Telnet on wikipedia
Just a thought, check firewall of your PC.
Need to ensure your SSH key you generated via IAM and attached to the EC2 at launch is added to the login:
ssh-add -K <yourkeyname>.pem
ssh ubuntu#<yourdns or ip>.com == or == ssh ec2-user#<yourdns or ip>

Different ssh port than 22 on ec2

I recently changed port field with custom port sshd_config file on amazon ec2.
However, it doesn't respond to ssh -p1234 user#domain.com because of security groups.
I have my ssh port (22) open on security group but I need to make it 1234 but on aws console, when I changed ssh source to 0.0.0.0/1234 it says unable to find group.
So, how do I set security group right ?
You appear to have confused the port with the CIDR address.
The CIDR annotation describes the range of addresses which are permitted to establish connections on a port - if you want anyone to be able to access the port from any address, use 0.0.0.0/0.
You then specify the port separately, which in your case is 1234.
Please note that changing your ssh port is not considered as a best practice. Network scanners will find your 'hidden' ssh port in no time. It is actually worse than having ssh on 22 since it provides you with false sense of security.
Consider restricting the actual scope of this service to your home / office IP addresses (as instructed by AWS Trusted Advisor)
You can even utilize Dome9 to have this port normally closed and only opened on demand.
(disclaimer: I'm a proud Dome9'er)