How can we block IP in Security Group where we allowed icmp,http,https to all, should not block in vpc also implement role to instance any other solution

0

I am having one web server, particular ip is hitting contiously due to which CPU utilization is more and server is running down time. wants to block the ip in Security Group which is not possible, Iam role and policy but not getting blocked { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "", "Resource": "", "Condition": { "IpAddress": { "aws:SourceIp": "xxxx/32" }, "StringEquals": { "aws:SourceVpc": "vpc-xxxx2ee5fa" } } } ] } Not working with above policy also. also we need icmp,http,https to 0.0.0.0/0

已提问 3 个月前130 查看次数
2 回答
1
已接受的回答

According to me the solution for this is to connect to the EC2 instance and drop the ip using the command #Check for IP tables

sudo iptables -A INPUT -s <IP-ADDRESS-TO-BLOCK> -j DROP

sudo service iptables save

Block an IP using firewalld

sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="<IP-ADDRESS-TO-BLOCK>" drop' sudo firewall-cmd --reload

by following above steps we have block the IP tail -f /var/log/httpd/access_log # to check ip status

But if in the security group if AWS allows us to Drop an option in a custom where we can give the required ip i will be easier but this option we cant find.

已回答 3 个月前
profile picture
专家
已审核 2 个月前
0

create a rule in your Network Access Control List to deny traffic from that IP

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html

已回答 3 个月前
  • Thank you. But If we create NACL rule it will be denied for all the instances in that network. Even we cant login to the ec2 tried this solution

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则