Here we are with our new post in which we will see how we can secure AWS EC2 Ubuntu Instance. This post is a step by step guide to secure EC2 ubuntu instance. Be it ubuntu 14.04, 16.04, 18.04 it will work for any ubuntu version. We are presenting here 3 steps through which you can secure your ubuntu VM from external attacks.
1. Security group
Allow traffic on required ports only from trusted sources, do not simply allow traffic for all. Let’s say you are hosting a web app that is expected to work on port 80 (http) and port 443 (https), and you want to allow everyone to access your website, you can allow access on port 80 and 443 from anywhere. If you have mysql server also hosted on same machine and you want it to be accessed from a fixed ip range then allow only that ip range to access port 3306. You can allow other inbound ports as per your usecase. Port 22 for ssh should be allowed to connect from a fixed ip range of your premises. Do not ever allow TCP all from anywhere as that may open an attack surface on your ubuntu VM. Furthemore you can restrict traffic on outbound ports as well, by default all outbound ports are open, you can restrict traffic on outbound ports. Let’s say you are pushing some content to a cross domain api on port 443, so you can allow 443 in outbound on the cross domain server ip.
2. Changing default Ports
Other thing you can do to secure your EC2 ubuntu instance is by changing default ports to a different value like using other port line 7227 for ssh than 22, different port like 7889 for mysql than 3306, fr ftp you can use something like 7500 or may be not using ftp at all and only use sftp. With this you can reduce your attack vector.
3. Internal Firewall
You can adapt another level of protection through UFW. It is a firewall configuration tool for ubuntu.You can add ingress/outgress rule on UFW. However you need to add rule with safety especially when adding rule for port 22 ssh as if you add wrong ips you may loose ssh access and you cannot regain the access back. You can check this post to see how to allow or deny rule in UFW.