I'm trying to host a website on AWS and I came across this:
If you are connecting through an ISP or from behind your firewall
without a static IP address, you need to find out the range of IP
addresses used by client computers. If you don't know this address
range, you can use 0.0.0.0/0 for this tutorial. However, this is
unsafe for production environments because it allows everyone to
access your instance using RDP.
My intention was to host my personal website. I connect through an ISP and do not have a static IP address and I'm not sure about the range of IP addresses.
Is there another way to solve this or would I be best to use a different web host such as godaddy, name.com, etc..?
The recommendation is that you don't allow RDP (or ssh if you go with a linux-based server) from the internet in general (i.e. 0.0.0.0/0).
Instead, you should restrict access to your ip (1.2.3.4/32). The problem with this is that when your ISP-provided IP address changes, you will be locked out until you adjust your security rules.
Now, for a personal web site, if you're not accessing it a lot, that's probably not a big deal. Chances are that your ip address doesn't actually change that often, and when it does you can remember to update the security group.
If you want to automate it, you can do this from a script that would query one of the many services that provide this, and then update the security group via the aws cli.
Finally, another option is to set up a VPN between your AWS VPC and your local network. This is probably overkill for your problem, but is something to consider when you want to extend your local network into AWS.
Here is a script that can automate the additional of an IP address to Inbound Security Group rules:
IP=`curl -s icanhazip.com`
aws ec2 authorize-security-group-ingress --group-name "RDS-SG" --protocol tcp --port 22 --cidr $IP/32
Related
I have a database server configured on AWS and I want to restrict access to it only from my computer's IP.
The problem is as IP addresses get assigned dynamically by the ISPs, I manually need to whitelist my IP address before accessing the server from my computer, everytime I switch from my home network to some other network.
I have been able to set a static IP address for my machine, but when I try to change my ISP from local broadband to mobile internet's hot-spot or to another network different from my broadband, the connection seems to fail. Is there any way to make my machine use the same static IP while using different ISPs ?
Here's a script I use:
IP=`curl -s http://whatismyip.akamai.com/`
aws ec2 authorize-security-group-ingress --group-name GROUP-NAME --protocol tcp --port 22 --cidr $IP/32 --output text
In this example, it is adding my current IP address to the security group for use with SSH (port 22). You can modify it for your needs.
Please note that there is a maximum number of security group rules, so you will need to "empty it out" after you've hit the limit.
In last few days my Google VM is continuously being compromised, I have received warning and faced suspension of VM by Google saying "cryptocurrency mining activities was found on VM". I suspect someone has hacked my VM and doing this activity. So, now I want to create a new VM with secure SSH firewall such that only limited computers can access the VM.
I have tried setting the IP of my office routers on firewall ssh allow rule, but after setting this rule also SSH connection to VM do get established from other IP addresses. I just want to specify two IPs in firewall rule but it expects IP ranges in CIDR format (with which I am not clear).
I have also found some suggestions that I should change the ssh port of the VM.
Can anybody please explain how can I restrict the access to my Google VM to only a specific set of computers when this computers are connected to a router and external IP is same for all i.e. of router?
Thanks
I understand you want to create a new VM with secure firewall SSH and want to restrict and allow access from particular IP addresses of your office router.
To do that you can create firewall rules as explained here 1. To manage the access for a specific instance, I recommend you to use Network Tags for firewall rules 2.
Going back to your concern, that SSH connection to VM do get established from other IP addresses even when you create the firewall rule for the specific IP address. The reason for that might be due to this:
Every project you create in GCP comes with the default firewall rules.
So there might be one default-allow-ssh rule which you need to block, I guess that might be causing the issue. Note that the default network includes some additional rules that override this one, allowing certain types of incoming traffic. See the attached link[3][4] for more details.
[3]https://cloud.google.com/vpc/docs/firewalls#default_firewall_rules
[4]https://cloud.google.com/vpc/docs/firewalls#more_rules_default_vpc
You can also add guest-level firewall rule using for example "iptables" to add another security level to your VM instance. However, GCP project-level firewall rule takes care of inspecting network traffic before it goes to your VM instances. Operating system Firewall blocks all internet traffic to any port 22.
In order to allow a specific address to be able to connect on your VM instance, you may add a CIDR of /32 on the "IP ranges" value of your "default-allow-ssh" GCP firewall rule. For example, 45.56.122.7/32 and 208.43.25.31/32.
I want to set the security groups for the web server running in aws instance.My website should be accessible to through http/https. But file modification access to be set to particular IP address.I am currently connected to a Wifi router, and as I know IP that my PC assigned changes everytime.
Can someone please guide me on how to get a static IP address that I can allow access to my website.Thanks in advance.
You would need to see if you ISP can sell you a static IP - it's not always possible. I can't get one from my ISP when working from home, your ISP may be different for example.
However, if it is just you that needs static IP address (i.e. you as the developer/admin as opposed to users in the public), it is only a few clicks of the mouse to update the security rule thru the aws console each time you need elevated access. I do this for several servers running on EC2 which I keep locked down, and when I need to RDP into them, I open up the security groups to just my (dynamic) IP, and remove the rule when I am done - this will work if you only occasionally need access. You could also automate this process using a little scripting and/or lambda function.
Other option that I also do: I have an service that I need to access continually from a static IP - I use an another EC2 instance (with fixed IP) as the whitelist IP for this, and then I connect to that services by first connecting via RDP to the EC2 instance - and the EC2 instance with the fixed IP then accesses the service using its static IP.
You first have to know if your external IP changes if so you have to ask your ISP to change your IP to a static one
If it's the internal IP the one that changes but the external IP is the same you will have no problem accessing the aws.
Here's what's bothering me. Is there a better way than sending emails to devs that the ip address for their dev server has changed after the instance is stopped and started?
I was thinking of a single small instance that has an elastic ip which the devs can log in using terminal, and ssh again to the internal ip address of the dev server. Is that effective?
Does it mean that the devs need to be informed of the change every time?
It's unclear exactly what you are saying "there's a new public dns for the server"? -thanks for the comment, that's clearer what you mean! It's the aws domain name in the format "ec2-54-222-213-143.eu-west-1.compute.amazonaws.com" you are referring to
You are asking how can these name/address changes be managed?
Generally speaking for fixing these kinds of problems there are a couple of things to be aware of
Firstly, if it is the public ip address that is changing instead of an ephemeral public ip address use an elastic ip. This will stay the same and can be transferred from an old instance to a new instance. Please read http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html about the differences between "Elastic IP" and normal public IP addresses on AWS
Secondly, if you are concerned about maintenance of the dns records that map the ip addresses to the domain names then it is possible to automate the updates to aws route53. I have used the aws cli command "route53 change-resource-record-sets" for this and also CloudFormation
Automating events to occur on instance start up does take a little research of the available APIs and hooks for example see this answer with a simple use of cloud-init Using cloud-init user data
I've read a lot of questions already posted on this topic but none seem to provide an answer that helps, so forgive me for the duplicate post if I missed one...
I setup an elastic beanstalk single instance application. I then ensure'd the EC2 instance that it spawned had a security group to allow port 80 incoming requests. I then created an elastic ip and associated the EC2 instance with the ip, but neither the public dns or the elastic ip will respond to http requests.
Any ideas why this might be an issue for me?
In my case the problem was, even though I'd associated my elastic IP to my instance and created firewall rules in new security groups to provide access, I hadn't associated my new security groups with my instance. To fix this, I used the Change Security Groups menu from my Instances screen:
This caused the following popup to appear, where, sure enough, my new security groups existed but weren't associated with my instance:
After I (1) checked the appropriate boxes and (2) clicked on Assign Security Groups, all was well.
In classic-EC2 scenario:
Make sure port 80 is allowed in your AWS security group.
Make sure port 80 is allowed in local operating based firewall on your system. OR disable the local firewall for the time being to narrow down the issue.
Make sure that your application is indeed listening on port 80. You can check this by running telnet 127.0.0.1 80.
If above 3 points are satisfied, I don't see a reason why you are not able to access your application on port 80.
Let us know in case you are using VPC and not classic-EC2.
BTW, when you attach elastic IP, the instance will drop the public DNS that it had earlier. So now you should work with elastic IP only.
I have had a case where the elastic IP address was itself not responding on a specific port number. When I associated the instance with a different elastic IP, everything worked fine. So I resolved the issue by allocating a new elastic IP address. Root cause: Amazon evidently does not have an effective internal process for validating the integrity of an elastic IP. Obviously that's a tall order considering the things outside their control that can happen, with denial of service attacks and etc.
It cost me a day of doing progressive isolation to get to this, which I would have never otherwise suspected.
Any chance there is also a firewall running on the machine? I know in windows I usually need to open the port on the windows firewall AND on amazon's security.