How do I control network access like ec2
So on ec2 I'm able to block all network traffic using security groups and perhaps open up port 80 to all traffic and keep ssh ports or other internal ports to trusted sources like my own ip address.
How do I do the same thing on linode? Is it only possible with an extra gateway or loadbalancer?
After starting a new instance I already have hundreds of attacks coming in from china.
I know I can configure an instances firewall but I would like the ability to configure ssh access outside the instance so that I can always gain access even if my own IP address changes.
Is there API access to do this perhaps instead of anything in the GUI?
4 Replies
You can do all this with iptables(8) and ipset(8). The idea would be that you would set up an ipset for each "security group" that you want to establish. You would establish an iptables rule to block all the addresses in it's associated ipset.
There is no "API" for this…only shell scripts to add/delete entries in each ipset and to establish/delete the iptables rules.
- iptables(8) man page
- ipset(8) man page
- Linux How To Block IP Addresses Using IPTABLES And IPset
- IPTables - Blacklisting IP's and Ports - Stop the Badguys
As for your immediate problem with attacks from China, you should set up fail2ban(1):
- How to Use Fail2ban to Secure Your Linux Server
- How to go about implementing Fail2ban Installation and Configuration on Ubuntu 16.04
fail2ban(1) can use ipsets as well. You just have to write the fail2ban(1) rules to do that:
How to mitigate attacks with Iptables, fail2ban and Ipset (and monitor with SS)
-- sw
Thanks @stevewi, so you're saying there's no network rules outside of the running instance? There's a lot reasons why having an external firewall configuration is useful but for me I like the ability to restrict ssh access which isn't really possible unless you always use the exact same IP address to connect.
I'll try to use my ISPs IP ranges as a stopgap solution and I suppose I can always change the ssh ip range using the web console right? (which runs locally?)
After some investigation I believe it's possible to script this behaviour using the lish shell as that runs locally so it could change firewall rules in a more automated way.
@tacticalrainbow writes:
Thanks @stevewi, so you're saying there's no network rules outside of the running instance?
Essentially, yes. There's this:
https://www.linode.com/blog/linode/cloud-firewall-beta-open/
but unless your Linode is located in Sydney or Mumbai, it's not going to be helpful to you.
There's a lot reasons why having an external firewall configuration is useful but for me I like the ability to restrict ssh access which isn't really possible unless you always use the exact same IP address to connect.
The other possibility (which is what I use) is to have ssh open to everyone but use public-key authentication and restrict logins to those with public keys only. This is pretty simple to do. I don't travel much but when I do, I can always access my Linode with my laptop because the key-pair on my laptop and on my Linode always authenticate me…no matter what my laptop's IP address is.
You can use fail2ban(1)/ipset(8)/iptables(8) to ban IP addresses with login failures for some arbitrary amount of time (30 days in my case). You can use iptables(8)/ipset(8) to create longer-term bans of repeat offenders.
After some investigation I believe it's possible to script this behaviour using the lish shell as that runs locally so it could change firewall rules in a more automated way.
lish is pretty cumbersome to use in any kind of normal workflow. It wasn't designed for that.
-- sw