2 IP Addresses, Ports, and Security in Networking
At the heart of the Internet is TCP (Transmission Control Protocol), the rules governing how data is sent and received. Imagine TCP as the postal system of the digital world. It ensures that the data, like letters in the mail, reaches its intended destination efficiently and reliably.
When you access a website, you send an HTTP (Hypertext Transfer Protocol) request through the TCP/IP system. This is akin to sending a letter through the postal service. HTTP operates on top of TCP/IP. It’s the protocol used for transmitting web pages over the Internet. When you visit a website, your browser sends HTTP requests to the server hosted by the site. The server, running NGINX on 443, then processes these requests and sends back the appropriate HTTP responses, such as web pages, images, or other data types.
Understanding IP Addresses
The traceroute command is used to determine the pathway to another computer. On its way to the final destination, it returns the IP addresses of servers your connection traverses. Asterisks often mean that firewall rules at that data center restrict your ability to see results for that hop. Sometimes, you won’t even receive a result as was in this case, but it is also evident we are touching China with a physical packet. When you think about the location of information, whether partitioned on a local network, between geographical areas, or even on the same computer - IP addresses are the addresses to receive and manage packets between networks.
traceroute to baidu.com (110.242.68.66), 64 hops max
1 172.16.224.1 3.120ms 2.035ms 21.729ms
...
7 4.26.2.162 254.604ms 255.189ms 233.560ms # Los Angeles
8 219.158.6.38 280.127ms 254.491ms 254.051ms # Beijing
...
14 221.194.45.130 307.083ms 287.268ms 287.084ms # Baoding
15 * * *
...
38 * * *
...Understanding Security Groups
AWS Security Groups serve as virtual firewalls for your EC2 instances, controlling both inbound and outbound traffic. When setting up rules in a security group, you specify the allowed (or denied) IP addresses and the ports on which traffic can enter or leave the instance. IP addresses in security groups are specified using CIDR (Classless Inter-Domain Routing) notation, which combines an IP address with a prefix size. To allow traffic from a specific IP address, you use the /32 suffix (e.g., 192.168.1.1/32). This notation indicates a single IP address is targeted. To allow traffic from any IP address, you use 0.0.0.0/0. This is a broad specification and should be used cautiously, especially for sensitive ports like SSH (22) or RDP (3389). Alongside the IP address, you also specify the port number. This defines which application or service the rule applies to. You can specify a single port (e.g., 80 for HTTP) or a range of ports if your application requires multiple ports to operate.
| Scenario | Type | Protocol | Port Range | Source |
|---|---|---|---|---|
| Specific IP Access | SSH | TCP | 22 | [Your Office IP]/32 |
| Open Web Server Access | HTTP | TCP | 443 | 0.0.0.0/0 |
Considerations
Apply the principle of least privilege. Only open necessary ports and only to necessary IPs. This is good practice both with visibility of ports as well as AWS IAM Policies. Be cautious with 0.0.0.0/0, especially for sensitive services. This opens the port to the entire internet, which can pose significant security risks. In AWS Security Groups, selecting the right combination of IP addresses balances accessibility and security. The /32 notation allows for targeted access control, while 0.0.0.0/0 provides full access.
It is also possible to manage IP address safe-listing using an NXINX configuration. In this case, you may have locations behind a port on your server that you want to allow to everyone but then restrict to others such as example.io, console.example.io, but not example.io/rstudio. This is managed using allow and deny all in an NGINX location or server block.
Externally Available Ports
❯ nmap ndexr.io
Starting Nmap 7.80 ( https://nmap.org ) at 2023-12-10 08:59 MST
Nmap scan report for ndexr.io (3.130.103.243)
Host is up (0.048s latency).
rDNS record for 3.130.103.243: ec2-3-130-103-243.us-east-2.compute.amazonaws.com
Not shown: 998 filtered ports
PORT STATE SERVICE
53/tcp open domain
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 5.85 secondsInternally Available Ports
ubuntu@ip-172-31-45-224:~$ netstat -tuln | grep 'tcp '
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:20000 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:2222 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8787 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:9047 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:9017 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:9020 0.0.0.0:* LISTEN ubuntu@ip-172-31-45-224:~/ec2manager$ docker container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
1bad5793dd74 gateway-dev-nginx "/docker-entrypoint.…" 17 hours ago Up 17 hours gateway-dev-nginx-1
afa34a4079ad gateway-dev-s3backup "/start.sh " 17 hours ago Up 17 hours gateway-dev-s3backup-1
47e770c1bb67 gateway-dev-volumerize "/sbin/tini -- /opt/…" 17 hours ago Up 17 hours gateway-dev-volumerize-1
fe482a000b6e grafana/grafana:6.7.2 "/run.sh" 17 hours ago Up 17 hours 0.0.0.0:3000->3000/tcp, :::3000->3000/tcp grafana
631196d28eb9 ndexr-dev-console "R -e 'Sys.setenv(LI…" 45 hours ago Up 45 hours 8787/tcp, 0.0.0.0:9047->8000/tcp, :::9047->8000/tcp ndexr-dev-console-1
8c7b8f9c4ee4 ndexr-dev-homepage "R -e options(ndexr_…" 45 hours ago Up 45 hours 8787/tcp, 0.0.0.0:9017->8000/tcp, :::9017->8000/tcp ndexr-dev-homepage-1
4c54d561fd4b ndexr-dev-postgres "docker-entrypoint.s…" 45 hours ago Up 45 hours 0.0.0.0:5432->5432/tcp, :::5432->5432/tcp ndexr-dev-postgres-1
e915efa8acf4 classcadet-dev-homepage "R -e options(ndexr_…" 5 weeks ago Up 4 days 8787/tcp, 0.0.0.0:9020->8000/tcp, :::9020->8000/tcp classcadet-dev-homepage-1Hosted Zones in DNS Management and Route 53
You can purchase a domain using the Route 53 service. Once you own your domain, you will have a hosted zone, which is where you can update your IP in the global DNS using A and CNAME records. An A record links a domain to the server’s IP address hosting the domain’s content, allowing users who type in my domain name to be directed to the correct server. CNAME records, on the other hand, can be used to link one domain name to another, which is especially useful for managing subdomains. An important point is that you can match multiple domains to a single server, and subdomains are free.
A hosted zone is a fundamental concept in DNS management, acting as a lookup table for routing information for a domain and its subdomains. It includes records that determine the direction of internet traffic. There are two main types of hosted zones: Public Hosted Zones for domains accessible over the internet and Private Hosted Zones for domains accessible only within specific networks your own local network using dnsmasq, your home router and a dedicated server like a Raspberry Pi, desktop, or other computer connected to your network.
When using Amazon Route 53 for domain management, the process starts with registering a new domain or transferring an existing one to Route 53. This involves setting up a hosted zone for the domain. This zone will contain DNS records such as A Records, which link domains to their server’s IP addresses, and CNAME Records, which are used for associating a domain with another domain name, particularly useful for managing subdomains.
Route 53 allows for the management of multiple domains and subdomains within the same hosted zone. This capability enables pointing multiple domains to a single server and free creation and management of subdomains, each potentially pointing to different IP addresses or managed through CNAME records. With NGINX running on your server, you can manage different ports for different applications on the same computer - so for example ndexr.io and console.ndexr.io run on the exact same computer, but internally once the HTTP request comes into the server, NGINX knows which domain was requested. I also have classcadet.com connected to the same IP as ndexr.io and console.ndexr.io, so you can even manage multiple separate businesses on the same server with absolutely different domains.
Validating a DNS Record
The command dig performs a DNS query. DNS is the Internet’s phone book and translates human-readable domain names into IP addresses. One important thing to know is that an IP address can have multiple associated domains, but a domain, generally with some exceptions, resolves to one IP.
; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> ndexr.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43940
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;ndexr.io. IN A
;; ANSWER SECTION:
ndexr.io. 300 IN A 3.130.103.243
;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon Nov 27 20:53:11 UTC 2023
;; MSG SIZE rcvd: 53The ANSWER SECTION in the output shows ndexr.io. 300 IN A 3.130.103.243. This means the domain ndexr.io resolves to the IP address 3.130.103.243. In AWS this IP matches the elastic IP set for my EC2 server, also known as the Public IP. In computer networking and application development, you match domains with IP addresses. Generally speaking, you do not care if you have the IP `3.130.103.243` or `192.168.0.68`, but you do care about your domain.
Once the IP address is determined through the DNS lookup, your computer uses the TCP/IP protocol to establish a connection to the server at that IP address. This involves sending a request over the Internet, routed through multiple network nodes using IP (Internet Protocol). The server at 3.130.103.243 which hosts the ndexr.io site receives the request, and responds over the same TCP/IP connection.
So, for example, each device can see other devices on my home network, governed by my router. My laptop can connect to my desktop by using the shell command ssh username@192.168.0.68 , and my desktop can log into my laptop using ssh username@192.168.0.152. However, I cannot use the IP 192.168.0.68 on my EC2 server to connect to my local laptop because it has no access to my router’s local network.