2

Struggling with Security Groups in AWS. Would like to setup a single SG, which I'd use in all my EC2 instances, to allow SSH traffic (I'd have other SGs for other roles, deployed as appropriate). However, I see no reason to open this SSH group up to the whole world. What I'd like to do is to restrict access to USA only for now. Is this doable?

Waldron
  • 33
  • 5

2 Answers2

5

It is doable with pam_geoip

In /etc/security/geoip.conf:

*           sshd          allow     US
*           sshd          ignore    UNKNOWN
*           sshd          deny      *
Mark Wagner
  • 17,764
  • 2
  • 30
  • 47
  • OK, thanks. But can't be done in an AWS security group?? – Waldron Apr 16 '13 at 13:30
  • 2
    You could download the geoip CSV file, select rows with the US as the country, and use `aws ec2 authorize-security-group-ingress` to allow the associated IPs... – Mark Wagner Apr 16 '13 at 17:54
  • Mark Wagner, thanks, that does answer the question. Not sure it's a feasible approach, but it's an answer to the actual question, and I asked the question in order to determine the feasibility, so... victory! Much appreciated. – Waldron Apr 18 '13 at 17:41
3

Possible, in theory, but probably not what you want to do.

I could, for example, use a free VPN service to give me an IP address in the USA, even though I'm in London.

What would be a better solution would be a SSH key, disable password-based logins, and consider 2-factor authentication.

I'm confused by why you'd want to allow access to the netblocks for a country as a whole, when it only offers you the thinnest veil of security (through obscurity)

Tom O'Connor
  • 27,440
  • 10
  • 72
  • 148
  • For now it's not feasible to restrict SSH access to a specific, narrow list of IPs, but I do hope to get there eventually. My idea was to start with "better than nothing" and improve from there. – Waldron Apr 15 '13 at 18:09
  • Also, we do use keys and pw-based logins are disabled already. – Waldron Apr 15 '13 at 18:12
  • 1
    You might want to look into port knocking. You could allow a small list of known OK ips, and then allow anyone else to use the port knock to get a temporary firewall exception made for that ip. – Sirex Apr 15 '13 at 19:40
  • My question was pretty straight-forward. It was a valid question, and it represents something I was curious about implementing as a single piece of my overall security regimen. These answers/comments don't have anything to do with AWS security groups, and so, don't really help. Thanks anyway – Waldron Apr 18 '13 at 15:16
  • 2
    @Waldron The answer is "You're *doing it wrong*". Don't expect a site of professionals to help you *do it wrong* - Rather than stomp your feet and say "that isn't what I was asking for" try taking the time to understand why what you want is not a great idea, and then implement one of the *good* solutions offered here or in [Mark's answer](http://serverfault.com/a/499604/32986) instead. – voretaq7 Apr 18 '13 at 16:41
  • @voretaq7, not sure you understood my comment or the spirit of my quetison. See response to Mark Wagner in other answer. – Waldron Apr 18 '13 at 17:42