Using Fail2Ban with Greengrass Secure Tunnel Component

Question

We would like to secure our edge devices with Fail2Ban, https://github.com/fail2ban/fail2ban, without blocking the AWS Greengrass V2 Component for Secure Tunnel. Is there any guidance as to how to configure our fail2ban to not block the secure tunnel ?

Accepted Answer

I am not aware of such guidance, and didn't find any in a quick search - which might be an indication that it doesn't exist. 
Generally speaking, [Secure tunneling](https://docs.aws.amazon.com/greengrass/v2/developerguide/secure-tunneling-component.html) uses a client/device-initiated tunneling, which means that you don't need any inbound ports open as long as established connections are allowed. See also [here](https://docs.aws.amazon.com/iot/latest/developerguide/how-secure-tunneling-works.html) for more details. That being said, fail2ban should not block those as long as it's only applied on inbound connections. Also, if you don't require any inbound connections, I would recommend to not open any inbound port, but only allow the outbound plus established / related connections.

Using Fail2Ban with Greengrass Secure Tunnel Component

相关内容