This blog post is specifically for AWS EC2 but the same concepts can be used in any Ubuntu based environments.
This is part of my personal effort in enhancing the cyber-security of my own startup – ALight Technology And Services Limited and ALight Technologies USA Inc. I am using multi-cloud environment for additional security. I have workloads in Azure, AWS! Azure has more important workloads. I am trying to come up with a plan where if an attacker hacks one of the accounts, the critical workload in Azure should not be accessible. This is pretty much like creating multiple layers of security. In other words this is like multi-MFA accounts security with various multi-factor authentication methods.
At least during locked-down period, the multi-MFA accounts security level would enhance the security. During maintenance window this level of security wouldn’t be possible and I am planning some monitoring, alerts and automatic mitigations if abnormal activity gets detected during maintenance windows based on logs, metrics. And even automatic terminations for any higher abnormal activity. Almost like a self-developed, zero trust system, intrusion detection and prevention system.
Here are several related blog posts:
The spy-attackers-toes (I think extremist division of R&AW, spying organization of my own country, India) = terrorist odour can utmost do screenshots but cannot directly access the servers. This is one man’s effort against an army of anonymous spy-hackers. Shame on the bribery/extortion/ransom takers. sugarified word – taking – harsh reality = extortion/ransom, instead they could have opted to asking for help.
In AWS configure a SNS topic to send alerts to emails / SMS to phone. Add the emails and phone numbers, subscribe and validate the emails and phones.
Create a role for use with EC2 instances and give permission for publish to the SNS topic.
When launching the SNS use associate the IAM role with permission for publishing.
Install aws cli.
> sudo apt install awscliCreate a script for example / var/LoginAlert/LoginAlert.sh
#!/bin/bash
aws sns publish --topic-arn <ARN_OF_SNS_TOPIC> --message "User Logged In!" --region <AWS_REGION>
exit 0Replace the ARN and Region with your own ARN and Region of the SNS topic.
Instead of “aws sns publish”, we can use any other executable such as writing some customcode and writing into some database for audit purposes, send alert via various other methods such as Slack etc… Or may be even a curl request to Slack.
https://api.slack.com/tutorials/tracks/posting-messages-with-curl
Give execute permissions on the script
sudo chmod +x /var/LoginAlert/LoginAlert.shEdit the file /etc/profile
sudo nano /etc/profileAdd the following code:
/var/LoginAlert/LoginAlert.shNow, reboot and re-login, you should have received an alert.
Now for OpenVPN, we can use the same script. Edit server.conf usually under /etc/openvpn or /etc/openvpn/server. Add the following lines:
client-connect "/var/LoginAlert/LoginAlert.sh"
script-security 2Now, try connecting to your VPN instance, you should receive an alert.
–
Mr. Kanti Kalyan Arumilli
B.Tech, M.B.A
Founder & CEO, Lead Full-Stack .Net developer
ALight Technology And Services Limited
Phone / SMS / WhatsApp on the following 3 numbers:
+91-789-362-6688, +1-480-347-6849, +44-07718-273-964
+44-33-3303-1284 (Preferred number if calling from U.K, No WhatsApp)
kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.
