*** using ssh to connect to amazon ec2 instance by adding inbound rules to the corresponding security group
基於安全考量,
0. 限制ssh的連入 source IP ;
1. 最好在client 自行產生key pair, 避免從server 產生再下載;
2. 避免透過網路複製 private key
//===
MyIP : will auto decide the public ip address of the client computer from which you connect to the ec2 instance
MyIP 給的是client 的public IP位址, 而非server 的ec2 elastic IP
當管理員可能從諸多不同的地點連入ec2,
MyIP提供設定security group rules的方便之門
//===
想允許ssh 使用不同的key pair 連入 ec2 ,
必須
0. 修改server端的 ~/.ssh/authorized_keys, 增加對應的public key
1. clientt端 必須擁有對應的private key ,
* git bash
$ ssh -i priv.pem ...
* putty needs priv.ppk [可用puttyGen.exe 將 pem 轉成 ppk]
Connection --> Data --> auto login username: ubuntu / ec2_user
Connection --> SSH --> Auth --> Browse for location of ppk file
//=== security group !== iptables
amazon ec2 的 security group 與 iptables 看來很像,
不過
0. security groups 是跨 instance 的 (cross-instance, instance-independent)
1. 每個 linux instance 都有各自的 iptables
2. security groups are not state-sensitive
//=== http://serverfault.com/questions/286665/why-have-both-security-groups-and-iptables-on-amazon-ec2
amazon
""" ...
I figured if anything Security Groups are just a fancy API for IPTables. It turns out they're running completely exclusively from what I can tell. Is there any reason to use both? One firewall should be plenty and adding another layer of complexity seems to be a headache just waiting to happen
...
The security groups add no load to your server - they are processed externally, and block traffic to and from your server, independent of your server. This provides an excellence first line of defense that is much more resilient than one residing on your server.
...
However, security groups are not state-sensitive, you cannot have them respond automatically to an attack for instance. IPTables are well suited to more dynamic rules - either adapting to certain scenarios, or providing finer grained conditional control.
... think about the security group like a hardware firewall in a normal networking scenario.
I guess you wouldn't really have to use both unless you had a special scenario, for example: you have a security group called webservers that controls access to web servers. You want to block an IP from hitting port 80 on one of those servers but not all of them. So what you would want to do is go into iptables on that one server
..."""
沒有留言:
張貼留言