Amazon EC2 Security Group inbound rule with a dynamic IP
I'm looking for clarification on what I see as a potential problem with EC2 Security Groups.
I'm setting up a Security Group for connecting to linux instances. I've created "anywhere" rules for HTTP and HTTPS access.
For my SSH rule, the amazon tutorial says I should limit inbound access to my public IP address.
What I don't get is how that's secure or workable if your public IP address is dynamic?
My IP address is dynamic, so what happens when my ISP changes my public IP and I can no longer ssh into my instance?
Link to the setup guide I'm using: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/get-set-up-for-amazon-ec2.html (Step 7 of 'Create a Security Group' is what seems problematic to me)
What I don't get is how that's secure or workable if your public IP address is dynamic?
This solution could work if you find your IP doesn't change often, or if you only need access for a short time. It adds an extra layer of security as SSH isn't exposed to traffic outside of the CIDR you supply.
If a specific CIDR doesn't work, you could try on or more board CIDR ranges that your ISP is likely to use, this will still limit access from a large percentage of the Internet, and that's a win for security.
what happens when my ISP changes my public IP and I can no longer ssh into my instance?
You can login to the AWS Console, or use the CLI to update the Security Group rule on the fly.
You could write a script that interacts with the CLI directly. It could be as simple as something that checks for the Port 22 rule
against your current IP and updates it if it's different. Of course running such a script might raise more security questions itself :)
Is an IP firewall the best way to secure SSH?
While it's nice to limit ssh traffic to only trusted IP sources where practical, the thing that makes ssh secure is the use of private keys and sensible configuration.
Key items to consider:
- Add a passphrase to your SSH private key
- Disable password auth to SSH
- Disable root login to SSH
- Audit all user accounts for SSH public keys
You could also do a few things to get rid of the 'noise' associated with brute force attacks:
- Run ssh on a higher port
- Use software like fail2ban which will dynamically log numerous failed attempt and block IP ranges for specified periods of time
It's fine to restrict access to your SSH server by IP address, but SSH doesn't rely on that for its security. If you disable password logins (PasswordAUthentication no
) and use private key authentication only, no one can get in without your private key. It's safe.
So in other words, you don't have to worry about the firewall rules if you don't want to.
You can add a CIDR range to the security group that represents the superset of all IPs your ISP can allocate to you.
Either that, or use the AWS API to dynamically update your security group.
There are couple of more recent solutions to this older question:
From inside AWS: How to Automatically Update Your Security Groups for Amazon CloudFront and AWS WAF by Using AWS Lambda
Remote update from the dynamic source (node.js script): aws-ec2-ssh-secgroup-update node script
Remote update from the dynamic source (Python script): Automatically add current public IP to Security Group to allow traffic on specific port