Enhancing site security with new Lightsail firewall features
This post is contributed by Mike Coleman, AWS Senior Developer Advocate – Lightsail
Amazon Lightsail provides an easy way to get started with AWS for many customers. The service balances ease of use, security, and flexibility. The Lightsail firewall now offers additional features to help customers secure their Lightsail instances. This update offers three new capabilities:
- The ability to specify source IP addresses for firewall rules
- Explicitly allowing or disallowing remote access to instances via Lightsail’s web-based console
- Support for PING
This blog explores each of these new features in detail, starting with source IP addresses.
Before this update, any open ports in the Lightsail firewall were open to the internet. In many cases, this is a reasonable approach. For example, for new WordPress servers, you likely need broad public access.
However, in some cases you want to restrict access to an instance. If you are staging a new website and it’s not ready for publication, you may want to limit access. One way to ensure that only certain people can visit the site is to only allow certain IP addresses to connect.
Another common use case is limiting remote access to an instance. With the new changes to the Lightsail firewall, you would be able to limit SSH or RDP access by source IP address. Additionally, you can now enable or disable remote access via Lightsail’s built-in web client.
Access can be restricted from one or more IP addresses (for example, the IP address for your home computer) or a continuous range of IP addresses (such as the address range for your corporate network).
Next, I review how you configure these options to restrict remote access via SSH to a single source IP address.
Finding your IP address
Most computers do not have an internet routable IP address assigned. Internet routable IP addresses are scarce and usually assigned to your internet gateway device. The devices on the network are assigned private IP addresses. To communicate between the private IP network and the internet, the network router typically uses network address translation (NAT).
This tutorial assumes you are using NAT. This means the IP address used to restrict SSH access is the IP routable address of your network gateway device (usually your wireless router). Consequently, this limits access to all devices on the network behind this IP address.
There are many ways to find your internet routable IP address. You can log into your network gateway device and find it there (consult your device’s user manual for more details). Alternatively, use one of several public services to determine your IP address – search online for “what is my IP” to list several options.
Restricting SSH access to a single IP address
- Start by creating a new Lightsail instance – you can select any blueprint.
- Once the instance state shows Running, choose the name of the instance to open the Instance details page.
- Choose Networking from the menu.
- Scroll down to find the current firewall settings. Under Allow connections from, it lists Any IP address for all of the applications. To change this, choose the edit icon for the SSH rule.
- Check the box next to Restrict to IP address and enter your internet routable IP address under Source IP or range.
Note: The next section shows how to restrict access from Lightsail’s browser-based SSH client. Currently, Allow Lightsail browser SSH box is checked.
- Choose Save.
Now, SSH into your Lightsail instance from your local machine. You can learn more about how to connect to your Lightsail instance using SSH from our documentation.
You should be able to connect to your instance successfully. Next, you test the connection from a different IP address. You do this by restricting a different IP address, and attempting to connect again:
- Edit the SSH firewall rule again follows the instructions above. This time, under IP or IP Range enter
- Choose Save.
Attempt to connect to your instance once more. The connection fails because your IP address does not match an IP address in the range.
Restricting access from the Lightsail browser-based SSH client
The browser-based SSH client makes it easy to access instances without needing to manage SSH keys on locally. However, there may be cases where you must disable browser-based access.
To do this:
- Navigate to the firewall rules for the instance you created earlier.
- Choose the edit icon for the SSH rule.
- Uncheck the box next to Allow Lightsail browser SSH. Choose Save.
- From the menu, choose Connect, then choose Connect using SSH. The browser window opens, but you are not connected to the instance.
There is now support for PING, a command line utility used to check if a computer is reachable over the network. PING sends a packet to a remote computer, which sends a simple response back. Before this release, you could not PING Lightsail instances.
To activate this feature, add a firewall rule:
- Navigate to the networking page for your instance. <
- Under the firewall section, choose +Add rule.
- From the application list, choose PING (ICMP). Choose Save.
- From a terminal window on your local machine, send a ping command to your Lightsail instance’s IP address. You can find the IP address from the Connect tab of the instance details page or from instance card on the Lightsail home page.
ping -c 5 192.168.2.143
You see a response similar to:
<ping -c 5 192.168.2.143 PING 192.168.2.143 (192.168.2.143): 56 data bytes 64 bytes from 192.168.2.143: icmp_seq=0 ttl=54 time=19.383 ms 64 bytes from 192.168.2.143: icmp_seq=1 ttl=54 time=16.821 ms 64 bytes from 192.168.2.143: icmp_seq=2 ttl=54 time=16.363 ms 64 bytes from 192.168.2.143: icmp_seq=3 ttl=54 time=27.335 ms 64 bytes from 192.168.2.143: icmp_seq=4 ttl=54 time=19.429 ms --- 192.168.2.143 ping statistics --- 5 packets transmitted, 5 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 16.363/19.866/27.335/3.943 ms
In this blog I covered how you can increase the security of your Lightsail instances by taking advantage of three new features: source IP restrictions, limiting access to the Lightsail browser SSH and RDP clients, and the addition of PING (ICMP) as an application type. These new features provide you an extra level of flexibility and security when deploying applications on Lightsail.