It’s good policy to keep your security policies as restrictive as possible. With respect to EC2 security groups, this means keeping port 22 closed. Of course this makes it much harder for you to get access to your machine when you need to do work on it. You can use complicated schemes like port knocking or ssh tunneling through another machine, but it’s always a pain to set up and maintain those schemes.
Portalign is a rubygem designed to alleviate this pain by aligning your EC2 security group(s) with your current IP address. This allows you to keep your ports 99.999% closed, while leaving them open for the only IP address that matters: where you are right now. Align the port, do your work, release the port. Easy and secure.
- gem install portalign
- create a .portalign.yml file in your current project with your AWS credentials and the security group.
- ssh me@myserver (do what you need to on the server)
- portalign -d (to remove the authorization when you’re done)
gem install portalign
The preferred configuration method is using a .portalign.yml file. It will look for one in $HOME/.portalign.yml and $PWD/.portalign.yml Any settings found in the current directory will override those in the $HOME directory. So, if you have multiple projects with different security groups, you can set your AWS credentials in one file (in $HOME) and put the various security groups in configuration files in each project.
access_key_id: "acb1234" secret_access_key: "1234abc" security_groups: - "mygroup" - "othergroup" ports: - 22 - 8080 - 10000
Note: As you’re probably aware, your AWS credentials are the keys to the kingdom. It’s a good idea to restrict and protect the .portalign.yml file as you would a private key. chmod 600 is a good start.
- access_key_id – AWS access key
- secret_access_key – AWS secret access key
- security_groups – A list of EC2 security groups (by name, not id)
- ports – A list of ports to open (defaults to 22)
- protocol – The protocol (tcp, udp, icmp), defaults to tcp
To add your current IP to the security group:
To add 0.0.0.0/0 (wide open, allow any IP) to the security group:
To remove your current IP (and 0.0.0.0/0) from the security group:
You can also specify many configuration options on the command line. Those specified on the command line will override anything from a config file.
portalign --access-key-id=abc123 --secret-access-key=123abc --ports=22,80 --security-groups=mygroup,othergroup