I'm looking for clarification on what I see as a potential problem with EC2 Security Groups.
I'm setting up a Security Group for connecting to linux instances. I've created "anywhere" rules for HTTP and HTTPS access.
For my SSH rule, the amazon tutorial says I should limit inbound access to my public IP address.
-
What I don't get is how that's secure or workable if your public IP address is dynamic?
-
My IP address is dynamic, so what happens when my ISP changes my public IP and I can no longer ssh into my instance?
Link to the setup guide I'm using: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/get-set-up-for-amazon-ec2.html (Step 7 of 'Create a Security Group' is what seems problematic to me)
Best Answer
This solution could work if you find your IP doesn't change often, or if you only need access for a short time. It adds an extra layer of security as SSH isn't exposed to traffic outside of the CIDR you supply.
If a specific CIDR doesn't work, you could try on or more board CIDR ranges that your ISP is likely to use, this will still limit access from a large percentage of the Internet, and that's a win for security.
You can login to the AWS Console, or use the CLI to update the Security Group rule on the fly.
You could write a script that interacts with the CLI directly. It could be as simple as something that checks for the
Port 22 rule
against your current IP and updates it if it's different. Of course running such a script might raise more security questions itself :)Is an IP firewall the best way to secure SSH?
While it's nice to limit ssh traffic to only trusted IP sources where practical, the thing that makes ssh secure is the use of private keys and sensible configuration.
Key items to consider:
You could also do a few things to get rid of the 'noise' associated with brute force attacks: