I know a certain range of IP addresses are causing problem with my server, 172.64.*.* what is the best way to block access to my Amazon EC2 instance? Is there a way to do this using security groups or is it better to do it with the firewall on the server itself?
-
1If the instance is within a VPC, you can edit the Network ACL to deny a specific range.user84647– user846472014-09-18 20:16:26 +00:00Commented Sep 18, 2014 at 20:16
Add a comment
|
5 Answers
Block traffic on both the server and firewall if possible, just in case.
Security groups are good because they are external to your host so the data never reach's you. They are not quite as configurable as most server based firewalls though.
Unfortunately, EC2 security groups can only "allow" services through a default deny policy. So if you are trying to block access to a publicly "allowed" service for a small IP range, building the allow rule for "the rest of the internet" is a bit more complex than just blocking an IP range. As you have specified a nice big chunk, the list of network ranges not including 172.64.0.0/16 is not too long:
0.0.0.0/1
128.0.0.0/3
160.0.0.0/5
168.0.0.0/6
172.0.0.0/10
173.0.0.0/8
174.0.0.0/7
176.0.0.0/4
192.0.0.0/3
224.0.0.0/3
This list would need to be added for your port(s). Then you can delete your 'allow all' rule for that port. If you have multiple ports you want to do this for that aren't contiguous, they list will need to go in multiple times. If you have multiple security groups this can quickly grow to be unmanageable.
Locally firewalling will also work. iptables is available on the default Amazon AMI, and all the linux distro's
sudo iptables -I INPUT -s 172.64.0.0/16 -j DROP
After adding your rules you'll need to save them, and ensure the iptables service starts at boot.
# For Amazon Linux
sudo service iptables save
# Other distributions might use one of these:
#sudo iptables-save > /etc/sysconfig/iptables-config
#sudo iptables-save > /etc/iptables/rules.4
The config file to save to will vary with distributions.
Using a VPC Network ACL
If you use a VPC for your instances you can specify "Network ACLS" that work on your subnet. Network ACLs do allow you to write both allow and deny rules so I'd recommend doing it this way.
-
this doesn't work anymoreKim Jong Woo– Kim Jong Woo2013-10-13 01:09:11 +00:00Commented Oct 13, 2013 at 1:09
-
@KimJongWoo what doesn't work? I can't see
iptablesnot working so are you referring to the large subnet allows in the security group?Matt– Matt2013-12-24 14:11:40 +00:00Commented Dec 24, 2013 at 14:11 -
Is there any way to whitelist IP instead of the block ?Dhaval Vaghela– Dhaval Vaghela2019-12-12 05:27:29 +00:00Commented Dec 12, 2019 at 5:27
-
You can whitelist in a VPC network ACL, so the rule will be attached to the network the instance is on rather than the instance.Matt– Matt2019-12-17 00:56:13 +00:00Commented Dec 17, 2019 at 0:56
The simplest way of stopping the traffic is (assuming VPC is being used) by adding it to the VPC Network ACL of that instance and denying all traffic from that IP Address.
One thing to remember is the deny rule number should be less than the first allow rule number.
-
4You mean the deny rule number should be less then the first allow rule number?Dan Tenenbaum– Dan Tenenbaum2016-04-27 02:41:20 +00:00Commented Apr 27, 2016 at 2:41
-
-
2keep in mind that there's a limit of 20 ACL rules. And this sucks, Amazon.Alex– Alex2018-04-21 08:28:43 +00:00Commented Apr 21, 2018 at 8:28
I have run into an issue twice and realized my EC2 situation is a little different: iptables does not work if your server(s) are in a cluster behind an elastic load balancer (ELB) -- the IP address the instance knows about is that of the ELB.
If you have your ELB configured in a more modern configuration, see this SO answer: https://stackoverflow.com/questions/20123308/how-to-configure-aws-elb-to-block-certain-ip-addresses-known-spammers
In our case, we didn't have things set up well, so I had to use Apache, which can look for the X-FORWARDED-FOR header and block IP addresses from that.
Add this to your apache configuration (perhaps in a VirtualHost block):
RewriteEngine On
RewriteCond %{HTTP:X-FORWARDED-FOR] ^46\.242\.69\.216
RewriteRule .* - [F]
This will check the header which is set by the ELB
Save the config, test with apache2ctl -t for debian/ubuntu (or apachectl -t for RHEL), then restart apache.
This just sends a 403 Forbidden response back
Blocking traffic from a single IP/IP ranges in AWS
- Open your VPC dashboard
- Open the “Network ACLs” view
- Open the ACL editor
- Add a rule to block the traffic
Here is a quick tutorial: http://chopmo.dk/posts/2015/06/13/blocking-traffic-in-aws.html
If the instance is within a VPC, you can edit the Network ACL inbound rules
To block 172.64.*.* add an entry like 172.64.0.0/16
To block 172.64.120.* add an entry like 172.64.120.0/24
To block 172.*.*.* add an entry like 172.0.0.0/8
To block a specific IP add an entry 172.64.120.56/32
