Out of the box, the Amazon EC2 instances come with basic security. However, this security is not enough to guarantee your system will not be vulnerable to attacks. That is why we want to cover some additional security steps that should be taken to harden an EC2 instance.
Here are five ways to harden an EC2 Server
- SSH Keys
- Keep System Up To Date
- Lockdown / Restrict System Ports
- Enable Additional SSH Security
- Disable root Login
One of the largest security risks in IT is Passwords. There are many different strategies and guidelines one could follow to create a more secure password. Regardless of the method you choose. Passwords are still highly likely to be hacked and subjected to brute force attacks.
Thankfully, there is an alternative authentication method for SSH in the form of Keys. Keys tend to more secure and remove the risk of a brute force attack since there is no password prompt for a user to guess. There are two parts to a Key, and these are public and private keys. The private key lives on the server that generates the key and will act as the gatekeeper. Alternatively, the public key goes on the system in which you want to connect to over SSH.
The key system works like this. A system tries to log in to a remote machine over ssh by passing the private key. The device receiving the request looks into its stored public keys for one matching your IP address. If it finds one, it uses the public key to authenticate with the private key to validate the connection. Therefore, by enabling the key option, the system cannot be accessed without having access to both the public and private keys.
Let’s Create a Key Pair:
Follow the directions in Generating an SSL Server Certificate on how to generate the RSA private key. Once you have your public and private keys follow these steps:
- Log into your Amazon AWS Console.
- Under Network & Security click on Key Pairs.
- Click on Import Key Pair
- Either upload your public key file or copy and paste the contents of your public key into the field.
- Click on Import.
- Now you can ssh into your EC2 instance like so:
ssh -i [email protected]
Keep System Up To Date
Administering systems is a never ending job. Too many times a system is left vulnerable to attack just because it was missing a software update or new driver. You can avoid these attacks by following a structured maintenance schedule. Thankfully, there are tools on Linux to make this job a little easier.
Using Linux’s Updater Command Line tool:
yum update <package name/s> dnf [options] <command> [<args>...]
On Ubuntu and Debian use the command line tool apt-get.
apt-get install –only-upgrade <packagename>
Lockdown / Restrict System Ports
As you go through the process of setting up an EC2 server, you will have encountered a screen for security groups. Depending on the purpose of your server, you may already have some basic security for HTTP, pop3, or ssh. However, just adding ssh opens your instance to the world. With some additional tweaks, you can restrict ssh access to a select number of connections or IP addresses.
- Log into your Amazon AWS Console.
- Under Network & Security click on Security Groups.
- Select a security group.
- Click on Actions and select Edit inbound rules.
- Make sure to save your changes.
To restrict SSH access to the EC2 instance to this machine look for SSH on the list. If no SSH is available, go ahead and add one. Then click on the drop down under sources and select MyIP. Clicking the MyIP will add the IP address of the machine you are on. If you have multiple locations (computers), you will need to add multiple ssh entries and select custom to add in their specific IP addresses.
Enable Additional SSH Security
If you choose to use SSH without keys, then I recommend enabling some additional SSH security options. These options include basic safety precautions like:
- Session timeout
- The number of allowed failed login attempts
- How many open connections a user can have
- Restrict root Login
Follow these steps to make these changes:
- SSH into EC2 instance.
- sudo -s
- Edit your SSH configuration file:
sudo vi /etc/ssh/sshd_config
- Uncomment (remove #) and set these variables:
ListenAddress 0.0.0.0 Protocol 2 LoginGraceTime 2M StrictModes yes MaxAuthTries 6 MaxSessions 10
- Restart to apply changes.
service sshd restart
Replace “0.0.0.0” with your real EC2 server IP address. This information is on your EC2 console. Follow the menu options to the View Instances inside the AWS Management Console. The IP address will be under the description tab at the bottom of the page.
Disable root Login
Every Linux machine creates a root account by default. Therefore the root account can be a severe security risk when using ssh. For instance, the root (administrator) account is potentially vulnerable to attack since hackers know that a root account exists. One way to fix this problem is to enable the use of ssh keys (see above). However, what if the system doesn’t use ssh keys? What else can you do?
Thankfully the task of locking down root is relatively straight forward. Then all you need to do is disable the root account. However, we still need an account for administration the system. So before turning off the root account, we need to create a new account with admin rights. Make sure when naming the new account to avoid prominent names like admin, administrator, or god (to name a few).
Follow the steps in Creating a user account on an EC2 instance to create a new admin user. Once you have your new admin user, you will need to make a change to/etc/ssh/sshd_config. Open up the file and uncomment the line “
PermitRootLogin no". When you finished you need to save your changes and restart the sshd service.
These are just a few ways in which you can lock down security on your EC2 instance. Consider checking out the following books. These are an excellent source of details about the complex aspects of securing your servers.
To continue taking our “Domain Registration and Configuration” class click here to return to where you left off.