How to block Amazon AWS traffic

We see many times malicious traffic coming from the Amazon Web Services (AWS) network. The attackers try to connect to cPanel or WordPress. If you see such attacks on your server, it can be a good idea to block AWS traffic – at least temporarily.

We will download the AWS IPs and add them to the CSF csf.deny file. Use this command to download the json file (json file is the only available format offered by Amazon):

# wget https://ip-ranges.amazonaws.com/ip-ranges.json

To extract the IPs

# grep ip_prefix ip-ranges.json | awk '{print $2}' | tr -d \",
root@web [/temp4]# grep ip_prefix ip-ranges.json | awk '{print $2}' | tr -d \",
3.5.140.0/22
35.180.0.0/16
52.93.178.234/32
52.94.76.0/22
52.95.36.0/22
120.52.22.96/27
150.222.81.0/24
13.34.24.160/27
15.230.39.60/31
52.219.168.0/24
150.222.78.0/24
15.230.39.208/31
52.93.17.0/24
52.93.240.164/31
52.95.150.0/24
52.219.60.0/23
13.248.56.0/22
13.248.117.0/24
......

To extract the IPs and add them to csf.deny file:

# grep ip_prefix ip-ranges.json | awk '{print $2}' | tr -d \", >>/etc/csf/csf.deny

Don’t forget to restart CSF:

# csf -r

References:
AWS IP address ranges
AWS IP list json file

Leave a Reply