Easy strategy for securing an EC2 instance?

[brooksambrose]

We went over ssh in the first meeting, but I forget what was recommended! Also should we be doing some port/IP filtering in addition to that? I'll admit I don't know much about how the internet works. It's all trucks and tubes to me.

[stivc]

The security groups provide port/IP filtering already. The only incoming connections that are allowed are the ones specifically granted by a security group rule.

For a compute server used only by yourself, you could allow access on the ssh port only to your IP address only. Then no other incoming connections are possible.

You can't use this method if you want to provide any more general access to your machine, but if it's compatible with your purposes, this sort of lockdown is easy. Since you can edit the security group later, you can start in a one-ip-one-port lockdown state and loosen up carefully if you adding services or making them more available to the internet.

[aculich]

What @stivc suggests here is probably the best simplest approach-- and it can be aided with tools like: http://www.whatsmyip.org/

Other solutions are more complex and I'm not yet convinced they are more secure than having good ssh-key hygiene and best practices.

The AWS documentation provides a lot of very detailed information about EC2 Security Groups for Linux instances and Authorizing Inbound Traffic, however it is not so obvious what the right strategy is for securing an EC2 instance, as your questions asks.

The documentation suggests modifying EC2 Security Groups to permit only known IP addresses access to an instance, but if you are using a laptop your IP address is likely to change frequently, and would be a pain to update by hand manually each time.

There are software tools such as portalign designed to automatically modify your EC2 security groups using the AWS API and your AWS API key & secret, however I'm not convinced that it is any more secure than using your SSH key-- since, in both cases, you're relying on single-factor authentication. And, in fact, the AWS API key likely gives MORE access to all of your AWS resources than your SSH key alone gives to someone-- restricting it just to the running server, rather than all the AWS resources.

An alternative (though more complex) would be to configure your AWS Linux instances to enable ssh+MFA (Multi-Factor Authentication), such as suggested by these links:

• How to protect your server with Multi-Factor Authentication on AWS
• Securing SSH to Amazon EC2 Linux Hosts
• Two-Factor Auth on EC2 with Public Key and Google Authenticator

While the instructions in the links list, step-by-step, what needs to be done, if this of interest to you and to others more widely, you might consider making a feature request in the BCE github issue tracker.

[brooksambrose]

This is great info, thanks. I'll mull it over. Would it be possible limiting ISPs to anywhere on Berkeley's campus, e.g. do dynamic IPs assigned at Berk have a consistent prefix that could be used to filter? Looking at a few lists of Berkeley IPs, I'm not grokking a pattern, e.g.:

ftp://ftp.net.berkeley.edu/pub/subnet_pop.bydesc

[stivc]

ftp://ftp.net.berkeley.edu/pub/networks.local seems to confirm that everybody or almost everybody is covered by:

128. 32.0.0/16
136.152.0.0/16
169.229.0.0/16

[ck37]

In my experience it is not that bad to just update the IP - all you need to do is edit the security group's incoming connections and change 1-3 ports to the "My IP" option and it will update. Takes about 10 seconds. There is no need to use whatsmyip.org.

[aculich]

@ck37 When setting up the Security Groups, using "My IP" is, as you suggest, the easiest option and recommended in the AWS docs in Adding Rules to a Security Group.

There are times when you are not in the AWS console where using another tool to check your visible IP address (rather than the IP address your computer reports) is helpful, such as when you're working with other people who do not have access to the console to add an IP address to the security group themselves-- such as during a D-Lab workshop working with several collaborators in the same room.

Also, I discovered what I think is a much better alternative to whatsmyip.org that is provided by AWS called checkip.amazonaws.com that can be easily used with curl from the command line:

$ curl http://checkip.amazonaws.com/
136.152.142.1

AWS suggests the following in Launching an Instance Using the Amazon EC2 CLI:

TIP You can get the public IP address of your local computer using a service. For example, we provide the following service: http://checkip.amazonaws.com/. To locate another service that provides your IP address, use the search phrase "what is my IP address". If you are connecting through an ISP or from behind your firewall without a static IP address, you need to find out the range of IP addresses used by client computers.