What is the ip range of EC2

Question

I'd like to setup a rule to block ssh request from EC2 since I've been seeing a large amount of ssh based attack from there and was wondering if anyone knew what their IP ranges are.

EDIT: Thank you for the answer, I went ahead and implemented the iptables rules as follow. I ignore all traffic for the moment. Logging it just to see if the rules are working and for stats on how much crap EC2 is sending out ;)

#EC2 Blacklist
$IPTBLS -A INPUT -s 67.202.0.0/18 -j LOG --log-prefix "<firewall> EC2 traffic "
$IPTBLS -A INPUT -s 67.202.0.0/18 -j DROP 
$IPTBLS -A INPUT -s 72.44.32.0/19 -j LOG --log-prefix "<firewall> EC2 traffic "
$IPTBLS -A INPUT -s 72.44.32.0/19 -j DROP 
$IPTBLS -A INPUT -s 75.101.128.0/17 -j LOG --log-prefix "<firewall> EC2 traffic 
"
$IPTBLS -A INPUT -s 75.101.128.0/17 -j DROP 
$IPTBLS -A INPUT -s 174.129.0.0/16 -j LOG --log-prefix "<firewall> EC2 traffic "
$IPTBLS -A INPUT -s 174.129.0.0/16 -j DROP 
$IPTBLS -A INPUT -s 204.236.192.0/18 -j LOG --log-prefix "<firewall> EC2 traffic
 "
$IPTBLS -A INPUT -s 204.236.192.0/18 -j DROP 
$IPTBLS -A INPUT -s 204.236.224.0/19 -j LOG --log-prefix "<firewall> EC2 traffic
 "
$IPTBLS -A INPUT -s 204.236.224.0/19  -j DROP 
$IPTBLS -A INPUT -s 79.125.0.0/17  -j LOG --log-prefix "<firewall> EC2 traffic "
$IPTBLS -A INPUT -s 79.125.0.0/17  -j DROP

It's not good idea to expose ssh to the hole world! If you have to provide ssh maybe you should do this on non standart port. — B14D3, May 23 '12 at 12:18
Yes, using a non-standard port block 99.9 % of the brute force SSH scans. — bortzmeyer, Dec 28 '12 at 20:50
B14D3, I don't think I'd agree with that. It's fine to expose ssh to the whole world, but it's wise to take *some* precautions against brute-force attacks if you do. They can include rate-limiting new connections, the use of `fail2ban` or similar failure-blockers, a requirement for two-factor authentication, the use of a non-standard port number, and there are doubtless other mitigation methods. But simply saying "don't expose ssh" strikes me as a bit unhelpful. — MadHatter, May 29 '14 at 08:10

gekkz · Accepted Answer · 2014-05-29T08:01:04.927

13

You can find the updated list here: https://forums.aws.amazon.com/ann.jspa?annID=1701

edited May 29 '14 at 08:01

answered Apr 18 '10 at 08:25

gekkz

4,229
2
20
19

The last two are part of 204.236.128.0/17, AMAZON-EC2-6. There's also AMAZON-EC2-7, 184.72.0.0/15 – Phil P Apr 18 '10 at 09:15
Good point about the IPS/IDS that's one of my future projects. For the moment I just wanted a stop gap solution and for the moment I don't foresee these machines receiving valid traffic from EC2. They certainly have huge blocks. – Nicolas Kassis Apr 19 '10 at 03:38

score 5 · Answer 2 · answered Apr 18 '10 at 09:10

5

+1 to what gekkz said. Also I would suggest installing fail2ban to help preserve system resources for more important things than dictionary attacks.

answered Apr 18 '10 at 09:10

Haakon

1,325
7
11

Ciaran · Answer 3 · 2012-01-20T18:09:50.373

As per https://forums.aws.amazon.com/ann.jspa?annID=1252

US East (Northern Virginia):

72.44.32.0/19 (72.44.32.0 - 72.44.63.255)

67.202.0.0/18 (67.202.0.0 - 67.202.63.255)

75.101.128.0/17 (75.101.128.0 - 75.101.255.255)

174.129.0.0/16 (174.129.0.0 - 174.129.255.255)

204.236.192.0/18 (204.236.192.0 - 204.236.255.255)

184.73.0.0/16 (184.73.0.0 – 184.73.255.255)

184.72.128.0/17 (184.72.128.0 - 184.72.255.255)

184.72.64.0/18 (184.72.64.0 - 184.72.127.255)

50.16.0.0/15 (50.16.0.0 - 50.17.255.255)

50.19.0.0/16 (50.19.0.0 - 50.19.255.255)

107.20.0.0/15 (107.20.0.0 - 107.21.255.255)

107.22.0.0/16 (107.22.0.0 - 107.22.255.255)

23.20.0.0/14 (23.20.0.0 – 23.23.255.255) NEW


US West (Oregon):    

50.112.0.0/16 (50.112.0.0 - 50.112.255.255)


US West (Northern California):    

204.236.128.0/18 (204.236.128.0 - 204.236.191.255)

184.72.0.0/18 (184.72.0.0 – 184.72.63.255)

50.18.0.0/16 (50.18.0.0 - 50.18.255.255)

184.169.128.0/17 (184.160.128.0 - 184.169.255.255) NEW


EU (Ireland):    

79.125.0.0/17 (79.125.0.0 - 79.125.127.255)

46.51.128.0/18 (46.51.128.0 - 46.51.191.255)

46.51.192.0/20 (46.51.192.0 - 46.51.207.255)

46.137.0.0/17 (46.137.0.0 - 46.137.127.255)

46.137.128.0/18 (46.137.128.0 - 46.137.191.255)

176.34.128.0/17 (176.34.128.0 - 176.34.255.255)

176.34.64.0/18 (176.34.64.0 – 176.34.127.255) NEW


Asia Pacific (Singapore)    

175.41.128.0/18 (175.41.128.0 - 175.41.191.255)

122.248.192.0/18 (122.248.192.0 - 122.248.255.255)

46.137.192.0/18 (46.137.192.0 - 46.137.255.255)

46.51.216.0/21 (46.51.216.0 - 46.51.223.255)


Asia Pacific (Tokyo)    

175.41.192.0/18 (175.41.192.0 - 175.41.255.255)

46.51.224.0/19 (46.51.224.0 - 46.51.255.255)

176.32.64.0/19 (176.32.64.0 - 176.32.95.255)

103.4.8.0/21 (103.4.8.0 - 103.4.15.255)

176.34.0.0/18 (176.34.0.0 - 176.34.63.255) NEW


South America (Sao Paulo)

177.71.128.0/17 (177.71.128.0 - 177.71.255.255) NEW

What is the ip range of EC2

3 Answers3