-1

I'm trying to block 3389 traffic from countries such as China, Russia. Alternatively I'd like to allow 3389 traffic from specific countries. If possible I'd like to do this within AWS VPC rather than the firewalls of each Windows Server.

Gavin Dixon
  • 3
  • 4
  • Gavin, what about North Korea ? – b.b3rn4rd Jun 20 '19 at 03:50
  • For ports like 3389 (RDP) you apply the reverse. You block all traffic and only allow specific IP addresses or CIDR blocks. Geolocation is not reliable for security purposes. For example, if I notice that you are blocking me in Russia, I will simply tunnel to France or the US and hit your endpoint from there. – John Hanley Jun 20 '19 at 05:50

1 Answers1

0

Sounds like you should implement an AWS Web Application Firewall (WAF).

From Working with Geographic Match Conditions - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced:

If you want to allow or block web requests based on the country that the requests originate from, create one or more geo match conditions. A geo match condition lists countries that your requests originate from. Later in the process, when you create a web ACL, you specify whether to allow or block requests from those countries.

You can use geo match conditions with other AWS WAF conditions or rules to build sophisticated filtering. For example, if you want to block certain countries, but still allow specific IP addresses from that country, you could create a rule containing a geo match condition and an IP match condition. Configure the rule to block requests that originate from that country and do not match the approved IP addresses.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • Thanks - I looked at AWS WAF but it says it is designed to handle http and https requests. Does RDP traffic on port 3389 look like http or https requests? – Gavin Dixon Jun 21 '19 at 04:49
  • Ah! You're right. Sorry about that. In that case, no, there is no service that will geo-block RDP traffic. The only services with geo capabilities are WAF, CloudFront and Route 53. CloudFront is for web requests. Route 53 can change the result of a DNS name lookup based on geo, but cannot block requests if people know the destination IP address. – John Rotenstein Jun 21 '19 at 04:57