I am using AWS EC2 to host my internal CRM. The server has started getting spam hits and consuming quite a bit of server resource. I know that we can configure CIDRs in the security groups. When I put comma separated values and try to save it, it throws an error stating "The source needs to be a CIDR block or a Security Group ID.". Is it like I can provide only one CIDR? If yes, then how will I address this?
Each rule handles only one CIDR. You can add many rules.
Related
I am trying to set up SSM on Windows.
I have an ASG in a private subnet (absolutely 0 internet access). I can not use NAT, only VPC endpoints.
In the instance launch configuration, I have a PowerShell script that uses Set-DnsClientServerAddress so that the instance can find and join an AWS Managed MS AD service. I would also like to set up the instance so it can be fully managed with SSM.
The problem comes with the DNS Client Server Address.
When I set it to match the address of the AD service SSM will not work.
When I leave the DNS Client Server Address default, SSM works but I can not join the AD.
I tried forcing the SSM Agent to use the endpoints by creating a amazon-ssm-agent.json file and setting all three endpoints in there. This allowed the instance to show on the Managed Instance list, but its status never changed from pending and requests from within the instance still timed out.
Does anyone know the magic sauce to get these things all working at the same time?
EDIT 1:
I also tried adding a forward as described in this thread, however I'm either missing somethign or it is not working for my case:
https://forums.aws.amazon.com/thread.jspa?messageID=919331󠜣
It turns out that adding the forwarder as described in the link above worked. The part I was missing was joedaws comment, "I would also remove the existing 169.254.169.253 entry so that only the 10.201.0.2 ip address is in the list".
Of course, my IPs are different, but once I removed the preexisting forward so that my x.x.x.2 IP was the only one in the list (I did this for both of the AD DNS servers) the instance was discoverable by SSM.
So, I would make a minor change to the list that saugy wrote:
On a domain joined windows instance, log in with AD domain Admin user
Open DNS manager
Connect to one of the DNS IP addresses for the AWS AD
Select forwarders
Add the VPC's DNS IP (x.x.x.2 from you VPC's CIDR range)
Remove the existing IP (so you VPCs IP is the only one)
Click Apply
Repeat from step 3 with the other DNS IP address for the AWS AD (not 1
Also, as mentioned in the other post. This only has to be done once and the settings persist in the AD DNS.
I have an Amazon EC2 instance that hosts different services (cassandra db, elasticsearch, rabbitmq, mysql...) used by several developers at different locations. Since these developers have dynamic IP addresses, and this EC2 instance is used only for development, I left inbound access to required ports opened to 0.0.0.0. I'm aware that this is absolutely not recommended, and I should limit access, but I don't want to change the rules every day as someone's IP address change.
However, I just got report from Amazon that my instance is used for DoS attack, so I would like to fix this.
My question is if it is possible to make a rule that will limit access to several ranges such as:
94.187.128.0 - 94.187.255.255
147.91.0.0 - 147.91.255.255
Definitely yes, because the ranges you meant aren't just ranges but match CIDR.
The range which cannot be expressed as CIDR won't be accepted:
You can use IPcalc or similar site to make it easier.
If it fits you, you can use port range like 2000-3000, or, better, use custom ports for the services. Then the range will be e.g. 2000-2001, and using port ranges you can fit one user into one rule.
Alternative, more secure but more difficult way: a web page, user connects there with proper security key. If the key is recognized then a script on the server adds rule to a group using the client's IP. Another script by cron deletes the rules older than X hours. To check it deeper you may want to look e.g. here: On apache side check Two-way SSL authentication, on AWS side check API and Command Overview
Is it possible to block an entire country from access my website within a security group rule in an Amazon EC2 instance instead of using iptables or something else?
As the others commented, it is hard to block the traffic from particular countries, if someone is smart enough to use a proxy.
But you can use some simple ways to filter most traffic from a range of IPs (not all customers know to use proxy)
One is to set Network ACL in aws. Please go though aws document Network ACLs as a start.
Another way if you can manage route 53 for your website, enable geolocation route policy and transfer the traffic from some countries to a fake website. You can go through the document here Choosing a Routing Policy
I am trying my hand at autoscalling and all is well except that I need all of my instances to be assigned an elastic ip (this is for my payment gateway which needs to know all IPs that we are using.)
Im happy to add say 8 elastic ips to my account but what I need is a facility to auto assign one of these to the instance as it boots up and then release it as it switches off.
I guess I need a startup script but this is beyond my knowledge of AWS (so far I do everything through the web console).
Any samples/help appreciated!
If your gateway is deployed in the same Amazon account as your servers, you might want to look at a VPC solution where you can control the instances' private IPs using masks.
If that is not an option, you will need to write a script, which you should add to the Launch Configuration's User Data.
In this script you can use AWS CLI to find which IP Addresses are available using describe-addresses, and use one of them to associate to your newly created instance using associate-address.
From where do I get the correct syntax to create a proper SPF record for EC2 amazon server? I understand how to create a dns entry but I have no idea what to put in place for the SPF record.
This is very easy to do:
Provision an Elastic IP for your server
Setup an "A" record for the server which will be sending mail with your favorite registrar- a good practice to follow is to include "svr" somewhere in the hostname, as in, app-svr-01.youdomain.com
Click here to contact amazon and ask for a reverse dns record for the IP
add the following somewhere in your SPF record and you should be good to go:
a:app-svr-01.youdomain.com
Note: if you need to relay mail through this server from your other AWS servers, or communicate between servers in any other way, you shoukd not use this new FQDN, but rather the AWS FQDN from the AWS console (it will look like ec2-xxx-xxx-xx-xx.compute-1.amazonaws.com).
Using your custom domain name will route through the "WAN" and incur bandwidth charges.
You can use the Amazon Simple Email Service (SES). If you only use this service (and not directly), then your SPF can be as simple as described in the FAQ:
http://docs.amazonwebservices.com/ses/latest/DeveloperGuide/SPF.html
maybe changing it to a definite fail on mismatch:
v=spf1 include:amazonses.com -all
Creating an SPF record for an EC2 instance is a waste of time. Every major ISP and blacklist will blackhole mail from an EC2 IP no matter what you do. Since anyone can spin up an instance, get a new IP, send spam and disappear, nobody trusts their mail.
Use an external mail server, like SendGrid.