SFTP Gateway Support

3.0

Configuring FirewallD

Overview

The EC2 Security Group does not let you block specific IP addresses from communicating with your EC2 instance. This is because the EC2 Security Group only lets you create allow rules. If you are opening port 22 to the world, how do you block specific IP addresses?

One approach would be to use Network ACLs to deny traffic. But this article covers an alternate approach, which is to use the FirewallD service built into the OS.

Background

SFTP Gateway is built on Amazon Linux 2023. Normally, you don't need to configure the firewall at the OS level. This is because you can configure network access on the EC2 Security Group.

But for SFTP use cases where it is not feasible to whitelist the IP of every SFTP user, customers may open up port 22 for practical reasons.

Under these circumstances, you may want to actively block specific IP addresses. For example, there could be some automation that is sending unwanted traffic. It would be nice to block this IP so that this traffic doesn't create too much noise in the logs.

Back in the day, the local firewall would be configured via iptables. But with Amazon Linux 2023, the way to do this is with FirewallD instead.

Installation

By default, FirewallD is not installed on SFTP Gateway. You can install it using the following commands:

sudo su
dnf install firewalld -y

Warning: Introducing an OS-level firewall could result in taking down Production, and also locking you out of the EC2 instance. You may want to test this in a Staging environment before doing anything directly in Production. If you find yourself locked out of your EC2 instance, you can use this KB article (https://help.thorntech.com/docs/sftp-gateway-3.0/aws-locked-out-of-ec2-instance/) and inject bash commands to stop and disable FirewallD.

Installing FirewallD shouldn't impact anything yet. Just make sure you do not start the FirewallD service until you are 100% sure it is safe to do so.

Configuration

The moment you start the FirewallD service, you will lock yourself out of your SSH session, and it will be very difficult to get back into the EC2 instance. See the above article about using UserData to inject bash commands.

To prevent yourself from getting locked out, you need to pre-configure FirewallD. The normal way to configure FirewallD is to use the firewall-cmd command. However, you can't run this command until you start the FirewallD service. And the moment you start FirewallD, you get locked out of the SSH session, and you never get a chance to run the firewall-cmd command.

To get around this, you will need to configure FirewallD using XML files. This is something you can do prior to starting the FirewallD service. And these XML files will be read by the FirewallD service when it starts.

First, create the following file:

/etc/firewalld/zones/public.xml

And add the following text:

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas</description>
  <service name="ssh"/>
  <service name="http"/>
  <service name="https"/>
  <service name="ssh-custom"/>
  <service name="dhcpv6-client"/>

  <rule family="ipv4">
    <source address="50.219.57.90"/>
    <port protocol="tcp" port="22"/>
    <drop/>
  </rule>
</zone>

Make sure you replace the following IP 50.219.57.90 with the IP address you want to block.

If you want, you can add additional rules to block other IP addresses.

Here's a breakdown of what's happening in this file:

  • This is the configuration file used for the public zone
  • We are allowing the ssh service to allow port 22
  • We are allowing the http service to allow port 80
  • We are allowing the https service to allow port 443
  • We are allowing a service named ssh-custom which we will define later
  • There is a rule created to block the IP 50.219.57.90 from reaching port 22

Next, create the following file:

/etc/firewalld/services/ssh-custom.xml

And add the following text:

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>SSH</short>
  <description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description>
  <port protocol="tcp" port="2222"/>
</service>

This file opens up port 2222 to allow SSH access.

Start the FirewallD service

Once you have configured the XML files, you can start the FirewallD service.

Note: You may want to take some precautions to have an alternate way of access the command line. For example, configure the serial console, use SSM, and set a password on the ec2-user in case you need it to sudo.

Run the command to start the FirewallD service:

systemctl start firewalld

And run this command to have the FirewallD service to persist after a reboot.

systemctl enable firewalld
PreviousNext