On-demand Opening of SSH Ports on AWS
Update: The script has been amended to support IPv6 as well and will allow access coming from your public IPv4 and IPv6 address simultaneously. I will also use CIDR notation for letting both addresses in, which is optional for IPv4 but mandatory for IPv6.
While other cloud providers usually force you to leave SSH open, restrict access with your own firewalls, or set up IP ranges from which access is possible, AWS has the major advantage of security groups1. You can stop any traffic dead in its tracks before your server has to deal with it.
You can configure Security Groups in a few ways:
- Through the AWS web interface.
- With the AWS CLI command-line interface.
- Not at all.
Some people just leave their SSH port open. This is arguably ok with public key authentication in place, but being able to prevent automated login attempts from around the world gives you peace of mind. You can also restrict access to your static IP or IP ranges, but people on ISPs with dynamically changing IP addresses are out of luck.
Pre-requisite: Install the AWS CLI
The AWS-CLI website has information on how to install the CLI, with most Linux distros having packages for it for an easy install. On macOS, you can go the Homebrew route.
If you haven’t already done so, install Homebrew. Homebrew is a package manager for all the developey things your Mac lacks—which is usually not much compared to Windows, but still a lot for a developer to be sad. Use Homebrew and its version of Python.
Make sure you know what this command does, refer to the Homebrew website.
Now we install Python and the AWS CLI.
I’m using a script to connect to my AWS instances. The script will open an SSH port in the associated Security Group, connect me via SSH, and when the connection ends or disconnects, remove that rule again, closing access to the instance off.
Here’s the script
You only need to modify the
instancehost: Hostname or IP address of your AWS instance.
sshuser: The local user name you’re using to login via SSH.
sshport: The SSH port, default is 22.
sshidentity: The path to the private key used for connecting to your AWS instance.
securitygroup: The Security Group identifier.
region: Your AWS region (since you can have instances in multiple regions).
Note: To get the current IP address programmatically, I’m using https://www.ipify.org. By default, they will simply output your current IP address as plain text. There are more options, so please have a look at their site. Their traffic is encrypted.
Make the script executable:
Now, simply execute the script to open a SSH shell to your instance:
AWS Security Groups are virtual firewalls, not only giving you fine-grained control over external access to your instances, but also isolating your instances from each other if needed. Great great great. ↩︎
Feel free to reach out via email for comments or discussion on this article.