0

I'm hardening the security groups for EC2 instances running on a default Ubuntu 20.04 AMI. What system services will break after closing all outgoing ports expect TCP 80 and TCP 443? (I'm assuming all ports required by the application are open, too. My concern is about breaking the implicit services provided by the OS.)

My understanding is that allowing TCP 80/443 is enough for the essential OS services. For example, apt-get updates should work. Or did I miss ports that Ubuntu or AWS will always expect to be open?

Side-note: I wondered how time syncing works. By default, I cannot see any NTP or chrony service preinstalled on the default Ubuntu AMI. Otherwise, UDP port 123 should be open, too. My assumption is that the (guest) hardware clock provided by the VM is already synced by the host (operated by AWS). Apart from that, I cannot think of any port that needs to be allowed from the OS perspective.

Depending on what AWS services the application will use, more ports are required, for example, 6379 for ElastiCache (Redis). Yet I'm concerned about API calls that do not originate from the deployed application. You can assume that the requirements of the application are known. The requirements by the environment (the OS and the EC2 infrastructure) are trickier.

Philipp Claßen
  • 511
  • 1
  • 8
  • 19
  • Not a proof, of course. But after updating one service in production, I did not notice any problems so far. – Philipp Claßen May 25 '20 at 15:28
  • 1
    NTP, though AWS provides an NTP endpoint in the VPC, you just have to configure to use it. DNS, again there's a VPC endpoint. – Tim May 25 '20 at 18:16
  • @Tim DNS resolution is working with the default settings of the Ubuntu AMI (opening port 53 was not necessary, neither TCP or UDP). I assume the requests are answered by the VPC endpoint. – Philipp Claßen May 25 '20 at 18:48
  • 1
    I guess Ubuntu is configured to use the endpoint, maybe for both NTP and DNS. It was just an idea for you to test. – Tim May 25 '20 at 22:17
  • 1
    DNS settings are not baked into the AMI, they're auto-configured by DHCP. VPC's built-in endpoints for the instance metadata service, the DNS resolver, NTP, and of course DHCP are all provided by the network infrastructure in a way that makes them immune to security group and network ACLs settings. – Michael - sqlbot May 25 '20 at 22:29

2 Answers2

1

In Ubuntu 20.04, allowing outgoing http and https traffic is mostly enough. However, I ran into an issue with NTP. My attempts to open UDP port 123 failed. I'm not sure why, but to solve it, I ended up switching to the internal Time Sync Serving from AWS:

$ cat /etc/systemd/timesyncd.conf
[Time]
NTP=169.254.169.123

If clocks are getting synchronized, you should get the following output: 

$ timedatectl
...
System clock synchronized: yes                        
...

If not, check the logs via:

$ journalctl --unit=systemd-timesyncd

In my case, I still got timeout when connecting to ntp.ubuntu.com:123, even after opening port UDP 123 (I even tried to open TCP 123, too). With the AWS service, it worked without opening neither of these outgoing ports.

Philipp Claßen
  • 511
  • 1
  • 8
  • 19
  • I believe your timeout issues are the same as mine -- https://serverfault.com/questions/1064319/systemd-timesyncd-requires-incoming-ephemeral-ports-opened but I am not running on AWS so your solution sadly doesn't apply to me. – Martin Melka May 24 '21 at 09:55
0

You will need to use NACLs for this as security groups only can handle the incoming traffic and allow everything going out. You need to take into consideration Ephemeral ports. This means that when you start a request to https://my-apt-repo.com the destination port will be 443 because of HTTPS, but the source port where the request will start from on your instance can be anywhere from port ~10000 to ~65000. You have to pay attention to allow both incoming and outgoing ports because NACLs are stateless. If you only allow outgoing on some ports and not ingoing, the response will not be able to come back.

To see which ports are used by your system as ephemeral, run:

sysctl net.ipv4.ip_local_port_range

You can change the port range by editing the /etc/sysctl.conf file. If you don't want to reboot for the changes to take effect, run the following command to source the configuration:

sysctrl -p /etc/sysctl.conf .

For more info, check out this article.

Chris
  • 318
  • 1
  • 5