Amazon AWS Blocking

MaxBishop · Aug 31, 2020, 9:02 PM

I have 5 WAN-exposed ports on my firewall (SSH on non-standard ports). I restrict incoming traffic using pFBlocker. I also use Suricata to monitor traffic on the WAN and the LAN.

I have noticed an increasing number of intrusion attempts from AWS EC2 sources. I have also noticed an increasing number of Suricata TLS events (invalid handshakes, invalid certificates, invalid traffic).

I would like to block every Amazon AWS connection, outbound and inbound, at the firewall. We have no interest in anything provided by AWS servers. The address space for AWS IPs is enormous and I assume that blocking the CIDRs using pFBlocker would significantly impact performance.

Is there a prudent way to block all outgoing and incoming traffic to and from Amazon AWS servers?

A Former User · Aug 31, 2020, 9:35 PM

@MaxBishop You can block by ASN. Thing is if you block AWS a huge number of websites will not work. Guess you're ok with that? Lots of firewall rules will slow things some. What hardware do you have?

MaxBishop · Aug 31, 2020, 10:40 PM

Hi,

My system:
4-core AMD Ryzen 3 (Typically 2-10% usage)
8070 MiB (Typically 17% in use)

I expect users to bark at me if block the entire address space. Whitelisting any sites that are mission critical (and those sites that the big boss wants to visit) is my preliminary strategy.

I now see your post from Dec 22, 2019 describing how to create aliases from ASNs. My research shows that the ASN of interest is 14618.

If I have that right, I'll give it a whirl.

A Former User · Aug 31, 2020, 11:22 PM

@MaxBishop
**** Why not setup a vpn and allow users past the firewall that way and do away with the open ports? ****

Amazon has lots of ASN's. https://bgp.he.net/ is a good tool to use for lookups. Just put Amazon in the search box. I see 15. I think, don't know, that they use address blocks as needed and any organization by ASN is long gone. It'll be hit or miss. Is the boss going on holiday? That would be a good time to have a go at it... ;)

That hardware should be fine. pfsense manages large tables (aliases) pretty well (2.4.5 issue not withstanding and that's been fixed).

I do wonder if this is much to do about nothing. Scans (script kiddies) are common. If your up to date with your software they can bang away at the front door, they're not going to get in... Be sure the cure is not worse than the disease.

If you know how you could write a rule for suricata that blocks any ssh traffic from ip's other than your trusted users...

serbus · Sep 1, 2020, 4:02 AM

Hello!

https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html

John

johnpoz · Sep 1, 2020, 4:19 AM

@MaxBishop said in Amazon AWS Blocking:

I would like to block every Amazon AWS connection, outbound and inbound

You understand this is going to stop you from talking quite a bit of stuff on the internet.. Shit is not going to work that you prob want to work.. A lot of stuff is hosted on aws IPs..

pwood999 · Sep 9, 2020, 3:43 PM

If your SSH users coming from specific IP ranges, then change the inbound SSH rule to only allow their IP's.

Better still get remote users to connect via VPN first.

You could also report the offending AWS IP to Amazon. It might be script kids using the free AWS trials ?

Who's using AWS hosting