Skip to content

Security

AWS Systems Manager or AWS SSM to create a private Networking tunnel to resources in the private subnet

AWS Systems Manager or AWS SSM to create a private Networking tunnel to resources in the private subnet

Pre-requisit

you need the AWS SSM agent installed on your laptop/desktop - documentation here https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html

AWS SSM create a tunnel to Linux instance in an AWS private subnet

1) Assume a role in the account

2) Get the instance ID you want to tunnel to

3) Start a session with AWS SSM agent

Sample commands for creating a tunnel to the instance on port 3389 and my PC/laptop localhost on port 5222

# Using a variable, so easier to reuse the command

instance_id="i-Xxxxxx"


# Sample command for creating a tunnel to the instance on port 22 and my PC/laptop localhost on port 5222

aws ssm start-session --target ${instance_id} \
    --document-name AWS-StartPortForwardingSession \
    --parameters portNumber="22",localPortNumber="5222" \
    --region eu-west-2

After creating the tunnel to the instance, you still need a valid ssh key to ssh into the ec2 instance.

Via the SSM in the console, you could add your public key to the authorized-keys - where is another website explaning that https://www.ssh.com/academy/ssh/authorized-keys-file

Example using AWS SSM to create a private networking tunnel to use as remote desktop into a Windows instance in a private subnet

Sample command for creating a tunnel to the instance on port 3389 and my PC/laptop localhost on port 5222

Same step above 1) and 2)

3) Create the tunnel with the RDP port as a destination portNumber

# Using a variable, so easier to reuse the command

instance_id="i-Xxxxxx"


# Sample command for creating a tunnel to the instance on port 22 and my PC/laptop localhost on port 5222

aws ssm start-session --target ${instance_id} \
    --document-name AWS-StartPortForwardingSession \
    --parameters portNumber="3389",localPortNumber="5222" \
    --region eu-west-2

Now, using your favourity remote destop application, you can RDP to localhost:5222 which will be tunneled into the Windows instance in the private subnet on port 3389.

Additional documentation

  • "Port Forwarding Using AWS System Manager Session Manager"

https://aws.amazon.com/blogs/aws/new-port-forwarding-using-aws-system-manager-sessions-manager/

  • "... Tunnel through AWS Systems Manager to access my private VPC resources"

https://aws.amazon.com/premiumsupport/knowledge-center/systems-manager-ssh-vpc-resources/

clamav-linux-free-antivuris-scan

Linux Clam AntiVirus ClamAV

ClamAV

  • clamav's logo

  • Runs on AmazonLinux, Linux RedHat, Ubuntu, MacOS, Raspberry Pi, ...

ClamAV is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats.

Basic installation ClamAV Linux open source antivirus

MacOS - brew install clamav

RaspberryPi Ubuntu - apt-get install clamav

AmazonLinux, RedHat, CentOS, Fedora - yum install clamav

Using ClamAV freshclam and clamscn

## updates anti-virus database engine

freshclam -v


## executes the scan-antivirus, -->> ATTENTION to the `--remove` flag, this deletes files!
##
# consider running the command first without the `--remove` flag.

sudo clamscan --infected --remove --recursive=yes .

brief explanation

  • sudo - run the command as superuser or root
  • clamscan - runs the ClamAV scanner
  • -v - run in verbose mode
  • --infected - only output infected files (unless you also specified the verbose)
  • --remove - removes (deletes) infected detected files

offical manual command man freshclam man clamscan

use man freshclam or man clamscan for the official command line manual.

aws-cloudwatch-logs-cloudtrail-logs-filters-sample

AWS VPC flowlogs CloudWatch logs CloudTrail logs and filters examples

Official Documentations - https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html

Basic sample VPC-flow-logs

[version, account, eni, source, destination, srcport, destport="8000", protocol, packets, bytes, windowstart, windowend, action, flowlogstatus]

VPC flow logs example with combination of AND

[version, account, eni, source="185.2*", destination, (srcport!="80" && srcport!="443"), (destport!="80" && destport!="443"), protocol, packets, bytes, windowstart, windowend, action, flowlogstatus]

Basic Expressions Operators

= -- EQUAL

!= -- NOT EQUAL

< -- SMALL THAN

> -- GRATER THEN

<= -- SMALL OR EQUAL

>= -- GRATER OR EQUAL

&& -- AND

|| -- OR

Cloud Trail Logs Filter examples

  • filter by Failure Console Logins 'ConsoleLogin="Failure"'

{ $.eventSource = "signin.amazonaws.com" && $.responseElements.ConsoleLogin = "Failure" }

  • exclude know IP address

{ ($.sourceIPAddress != "52.123.123.5") && ($.sourceIPAddress != "33.123.123.*") && ($.sourceIPAddress != "*.amazonaws.com") }

  • AWS login without using MFA

{ $.eventSource="signin.amazonaws.com" && $.additionalEventData.MFAUsed="No" }

Happy learning

Antonio Feijao UK

aws-cli-iam-roles-and-tokes

AWS cli IAM roles and tokens

aws sts assume-role --role-arn arn:aws:iam::ACCOUNT-NUMBER:role/ROLE-NAME --role-session-name "RoleSession1" | \
sed 's/[," :]//g;s/AccessKeyId/export AWS_ACCESS_KEY_ID=/;s/SessionToken/export AWS_SECURITY_TOKEN=/;s/SecretAccessKey/export AWS_SECRET_ACCESS_KEY=/' | \
grep 'export' | \
tee credentials.properties

export AWS_ACCESS_KEY_ID=xxxxxxxxxxx
export AWS_SECURITY_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
export AWS_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

block-advertising-using-hosts-file

Blocking advertising and pops using hosts file

Full script code file on github block-ads.sh

Note

Remember, do not execute or run what you do not understand, use at your own risk!

#!/bin/bash

#
# Version 2018-11-09 11:24
# Author #AntonioFeijaoUK
#
# Purpose:  Script to automate the update on /etc/hosts with entries about malicious or advertising domains sites,
#           so that my computer or DNS-Server resolves these domains to 0.0.0.0, therefore avoiding/blocking the connection.
#
# Result:   "Cleaner" web-pages, safer navigation, faster loading pages as the extra mess/ads will not download.
#
# Updates:
#   2019-02-06 - Updated clean up script  awk '{print $1}'
#


echo -e "\n\n ...initiating LIST var with list of URLs... \n\n"


LIST="https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
https://mirror1.malwaredomains.com/files/justdomains
http://sysctl.org/cameleon/hosts
https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist
https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
https://hosts-file.net/ad_servers.txt"


#echo ${LIST}

echo -e "\n\n ...going through the list and curl the domains to block... \n\n"

COUNT=1

for URL in $(echo ${LIST}) ; do
  echo -e "\n\n ...curl URL -->  ${URL} ... \n\n"
  curl ${URL} --output "list_${COUNT}.txt"
  COUNT=$(( ${COUNT} + 1 ))
done


echo -e "\n\n ...aggregating and clearing up the lists, removing duplicates... \n\n"

cat -v list_* | grep -v ^# | grep -v ^$ | sed -e 's/\^M//g' | sed s/'127.0.0.1'//g | sed s/'0.0.0.0'//g |  awk '{print $1}' | sed 's/[[:blank:]]//g' | sort | uniq | sort > domains-list-to-block.txt



echo -e "\n\n ...adding 0.0.0.0 to the domains lists to protect from connection to the real IP... \n\n"

for DOMAIN in $(cat domains-lis