Added additional Security Group rules to further restrict traffic

Hacking-the-Cloud · Mar 3, 2022 · 1ee64af · 1ee64af
1 parent 88bc3dc
commit 1ee64af
Showing 1 changed file with 16 additions and 8 deletions.
diff --git a/aws/cicdont/attackbox.tf b/aws/cicdont/attackbox.tf
@@ -14,17 +14,25 @@ data "aws_ami" "ubuntu_ami" {
   owners = ["099720109477"] # Canonical
 }
 
-resource "aws_security_group" "allow_everything" {
-  name        = "allow_everything"
+resource "aws_security_group" "allow_inbound" {
+  name        = "allow_inbound"
   description = "Allow everything tcp inbound"
   vpc_id      = aws_vpc.ctf_vpc.id
 
   ingress {
     description = "Allow everything"
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
+    from_port   = 26
+    to_port     = 65535
+    protocol    = "tcp"
+    cidr_blocks = ["${chomp(data.http.player_ip.body)}/32", "${aws_instance.target_service.public_ip}/32"]
+  }
+
+  ingress {
+    description = "Allow SSH"
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["${chomp(data.http.player_ip.body)}/32"]
   }
 
   egress {
@@ -35,7 +43,7 @@ resource "aws_security_group" "allow_everything" {
   }
 
   tags = {
-    Name = "allow_everything"
+    Name = "allow_inbound"
   }
 }
 
@@ -53,7 +61,7 @@ resource "aws_instance" "attackbox" {
   instance_type               = "t3.micro"
   associate_public_ip_address = true
   subnet_id                   = aws_subnet.ctf_subnet.id
-  vpc_security_group_ids      = [aws_security_group.allow_everything.id]
+  vpc_security_group_ids      = [aws_security_group.allow_inbound.id]
   depends_on                  = [aws_internet_gateway.ctf_gw]
 
   user_data = data.template_file.attackbox_user_data.rendered