Home / server / Questions / 1018621
Accepted
Philipp Claßen
Asked: 2020-05-26 06:14:03 +0800 CST

Required outgoing ports to open for an Ubuntu 20.04 EC2 instance (beside TCP 80/443)

  • 772

I'm hardening the security groups for EC2 instances running on a default Ubuntu 20.04 AMI. What system services will break after closing all outgoing ports expect TCP 80 and TCP 443? (I'm assuming all ports required by the application are open, too. My concern is about breaking the implicit services provided by the OS.)

My understanding is that allowing TCP 80/443 is enough for the essential OS services. For example, apt-get updates should work. Or did I miss ports that Ubuntu or AWS will always expect to be open?

Side-note: I wondered how time syncing works. By default, I cannot see any NTP or chrony service preinstalled on the default Ubuntu AMI. Otherwise, UDP port 123 should be open, too. My assumption is that the (guest) hardware clock provided by the VM is already synced by the host (operated by AWS). Apart from that, I cannot think of any port that needs to be allowed from the OS perspective.

Depending on what AWS services the application will use, more ports are required, for example, 6379 for ElastiCache (Redis). Yet I'm concerned about API calls that do not originate from the deployed application. You can assume that the requirements of the application are known. The requirements by the environment (the OS and the EC2 infrastructure) are trickier.

ubuntu amazon-web-services security-groups

2 Answers

  1. Best Answer

    In Ubuntu 20.04, allowing outgoing http and https traffic is mostly enough. However, I ran into an issue with NTP. My attempts to open UDP port 123 failed. I'm not sure why, but to solve it, I ended up switching to the internal Time Sync Serving from AWS:

    $ cat /etc/systemd/timesyncd.conf
[Time]
NTP=169.254.169.123

    If clocks are getting synchronized, you should get the following output: 

    $ timedatectl
...
System clock synchronized: yes                        
...

    If not, check the logs via:

    $ journalctl --unit=systemd-timesyncd

    In my case, I still got timeout when connecting to ntp.ubuntu.com:123, even after opening port UDP 123 (I even tried to open TCP 123, too). With the AWS service, it worked without opening neither of these outgoing ports.

    • 1

  2. You will need to use NACLs for this as security groups only can handle the incoming traffic and allow everything going out. You need to take into consideration Ephemeral ports. This means that when you start a request to https://my-apt-repo.com the destination port will be 443 because of HTTPS, but the source port where the request will start from on your instance can be anywhere from port ~10000 to ~65000. You have to pay attention to allow both incoming and outgoing ports because NACLs are stateless. If you only allow outgoing on some ports and not ingoing, the response will not be able to come back.

    To see which ports are used by your system as ephemeral, run:

    sysctl net.ipv4.ip_local_port_range

    You can change the port range by editing the /etc/sysctl.conf file. If you don't want to reboot for the changes to take effect, run the following command to source the configuration:

    sysctrl -p /etc/sysctl.conf .

    For more info, check out this article.

    • 0