We help IT Professionals succeed at work.

How to secure ssh port 22 on an AWS EC2 Instance when using Github Action to sync data?

564 Views
Last Modified: 2020-07-03
Hi,

I am using GitHub Action to do an ssh sync from the master repository to my aws web server. The problem with this is that I need to have port 22 open on the aws web server for github actions to work. I want this to be my production server and do not want to leave port 22 open. What are some realistic options that I can do instead.  I do not want to whitelist hundreds of Azure ips, is it enough to just put fail2ban on the web server? Anything else?

Thank you.
Comment
Watch Question

Fractional CTO
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Thank you. I disabled password authentication on SSH, so its only key based authentication.
In that case any need to also use fail2ban?
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
fail2ban will block anything that systems that attempt logins into the ysstem and that gets flagged as an invalid logon.
If you choose to block EVERY thing from such a client anyone trying to access your system will also block itself from all other services.
So yes do also install fail2ban to enhance your security.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
fail2ban will transfer the hits on the SSH service and transfer them to the firewall handing side.
Depends on which option it will reject or deny will deal with how long the resource will be consumed.

As noted, requiring key based authentication limits an attack vector unless and until a vulnerability is discovered which fail2ban help to curb/minimize.
CERTIFIED EXPERT

Commented:
Can't you just limit the IP addresses that can connect?  How many servers need access?  Are they on fixed IPs?  There's no need to give the whole world access.

Author

Commented:
Github Actions uses azure, I would need to whitelist like 4 of the main azure regions to make sure its all in. Thats like 200 ips
https://www.microsoft.com/en-us/download/details.aspx?id=56519

CERTIFIED EXPERT

Commented:
You just need to whitelist a block of IP ranges and that should be enough to block the vast majority of the attacks.  You can still have Fail2Ban running if an attack comes from those ranges, but you'll have already limited the majority of the attacks to keep the logs small and manageable.

David FavorFractional CTO
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
You said, "Github Actions uses azure, I would need to whitelist like 4 of the main azure regions to make sure its all in. Thats like 200 ips".

Correct. If you have lots of free time, you can manage all these manually through whitelisting.

Or...

You can just let Fail2Ban handle this for you, automagically.

The point of whitelisting IPs is to reduce password attacks.

So you can do this manually or use Fail2Ban.

There is no right or wrong, just short (Fail2Ban) or long (manual IP whitelisting).
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Or build a script that can process the json download that is behind the link you showed...
https://www.microsoft.com/en-us/download/details.aspx?id=56519 ) and convert it to firewall rules.
For iptables if would suggest to use 4 rules that reference 4 ipsets that match each of the cloud sites.

And still use fail2ban to block attempts from the azure clouds.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.