Open IP ports

Home»
»Security Insights

Open IP ports

Newvem Community // March 19, 2021

Newvem monitors your security groups’ ports, and notifies you if it finds that at least one of them is currently open to all IP addresses. An open IP port may mean that some servers are exposed to access from any IP address worldwide, making them vulnerable. We suggest that you reduce the number of open ports to a minimum, limiting access from the outside world only to web-facing services. For example, port 80 for HTTP and port 443 for HTTPS.

Identification

Our identification of the issue is based on the following data:

    • One or more security groups were configured to allow access through all IP ports.
    • One or more of your AWS instances are using the security group with the open IP ports.

Instructions

Viewing a security group’s rules

 AWS Management Console

    1. Log in to the AWS Management Console and click the Amazon EC2 tab.
    2. In the Navigation pane, click Security Groups. The security groups belonging to the account are displayed.
    3. Select the security group whose rules you want to see. The security group’s information is displayed in the lower pane in the Details tab; its rules are displayed in the Inbound tab.

Command Line Tools - 

 Type the command:

PROMPT>  ec2-describe-group [group ...]

Amazon EC2 returns output in the format of the following example.

GROUP   sg-251s6f45     999988887777    WebServers   webPERMISSION      999988887777    WebServers ALLOWS  tcp     80      80      FROM    CIDR    0.0.0.0/0       ingressTip: To filter the list to return only the security group with the open ports, use the ip-permission.from-port and ip-permission.to-port filters.

 

Adding a rule to a security group

AWS Management Console

To add a rule to a security group -

  1.  In the AWS Management Console, select a specific EC2 security group, by following the instructions in the above procedure (Viewing a security group’s rules). The selected security group’s rules appear in the lower pane, in the Inbound tab.
  2. In the Inbound tab, in Create a new rule, select the type of rule to create.
  3. In Port range, specify a port or port range. In this case of open IP ports, we suggest that you reduce the number of open ports to a minimum, limiting access from the outside world only to web-facing services (e.g. port 80 for HTTP and port 443 for HTTPS).
  4. In Source, specify one of the following:
    • The name or ID of the security group that is allowed access. If the group is in someone else’s AWS account, type the AWS account ID that contains the security group, followed by “/”, followed by the security group name. For example:  978644442091/SecurityGroupA.
    • The IP address or range of addresses in CIDR notation that is allowed access. For example, 123.2.432.3 to limit access to one computer at that IP address; 123.2.432.3/24 to limit access to a network at that range of IP addresses. You can enter 0.0.0.0/0 to allow all IP addresses to access the specified port range.

5. Click Add Rule. An asterisk appears on the Inbound tab, and the Apply Rule Changes button becomes enabled.

6. Click Apply Rule Changes. The new rule is created and can be viewed in the right pane of the Inbound tab. The new rule is applied to all instances belonging to the selected security group.

Keywords: open ip ports, aws instances, security group rules, aws management console, amazon ec2 security group, aws add rule

Resources

Using Security Groups on Amazon AWS

Understanding Amazon EC2 Security Groups and Firewalls

Check Dome9 to control and manage your ports on-demand

Recipe: Programmatically Creating and Updating AWS security groups


 

You must be to post a comment.

* As a bonus, you'll receive our weekly newsletter!

Hitchhiker's Guide to The Cloud

Newvem's eBook for Cloud Operations