0

I have a linux instance deployed on AWS EC2.

Sorry for my dumb question, but I'll ask anyways just to be safe.

Q1. While creating an instance, I set anyone 0.0.0.0:0 for the ssh. Though, on the next step, it asked me to create private/public key pair. So I did. Question is will anyone be able to somehow attack it ? I know i set it to anyone, but I want the instance to be only accessible by the private key. I don't care if that private key is used from another internet ip address. That's not insecure right ?

Q2. After I created the instance as I said in Q1, I have a project in there ec2-user/myApp which is cloned from github. Due to yarn sometimes resulting in an error, I had to do sudo chmod -R 777 myApp and then running yarn succeeds. Since I did sudo chmod -R 777 myApp, read,write access is open to outside world, but still that's not insecure right ? because I don't have any other ports open to the world other than 22 ?

Thoughts ? Thank you.

Nika Kurashvili
  • 105
  • 2
  • You could limit ssh access to your IP address: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules –  Jan 03 '22 at 20:25

1 Answers1

1

Question is will anyone be able to somehow attack it?

No, that means anyone can start a connection to it, but to authenticate they need a proper login and password. It's not insecure by default and does not mean everyone can access your instance.

I know i set it to anyone, but I want the instance to be only accessible by the private key. I don't care if that private key is used from another internet ip address. That's not insecure right ?

Using a key to authenticate is the recommended method. It's not insecure at all, you can use your private key to access all servers you want, and you can use any IP address to connect there. Requiring SSH to only allow one IP address (or a set of addresses) could create an availability issue if you need access on an emergency and you are not using one of the whitelisted IP addresses.

Since I did sudo chmod -R 777 myApp, read,write access is open to outside world, but still that's not insecure right?

chmod 777 means anyone with shell access to your server can change any files, not everyone. Insecure here is relative, and you could answer the "insecure against what?" question before getting an answer.

On a high level, it does not make it insecure per se. It only means if someone can get shell access to your machine, the app can be compromised. As I don't expect your app is in production and managing real-life data on real persons, I don't believe this is much an issue.

Thoughts ?

Don't chmod 777 to make yarn stop complaining. Read the logs, identify what folder is not being written to because of permissions, identify which user or group should own the folder, and give access to that user or group (chown and chgrp are your friends here). Using chmod 777 is not recommended at all.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142