Restrict Access to P1 web configuration

Owned by Charles Twist, created
Jan 06, 2022
2 min read

This article describes how to restrict access to port 4321 on an AWS P1 Server which is required to mitigate potential log4j vulnerability.

 Instructions

From AWS Dashboard go to Security Groups

Select the P1 Server Security Group (which has port 4321 open to anyone) and then click on Actions, Copy to new Security Group. Call this “P1 Server without 4321” or something like that. Then edit it and delete the Incoming Rule for port 4321. This is now security for everything except the web interface.

Now create a new Security Group called “P1 Server 4321” and add an inbound rule for TCP Port 4321 and where it says Source instead of Anywhere select My IP and then it will set it to your current public IP address. This is now security for one or more users for the web interface only.

Now go to your EC2 Instances, Select the P1 Server and then Select Actions, Security, Change Security Groups. Remove your current P1 Server security group, add the one called P1 Server without 4321 and add the one called P1 Server 4321. And apply these.

At this point you should be able to use the P1 Server exactly as before as long as you come from this same public IP address.

To add more addresses, just edit P1 Server 4321 and add an inbound rule for port 4321 TCP for each address that you want to add. And select custom and then eg 1.2.3.4/32 to add the specific IP address 1.2.3.4 to your whitelist of addresses that are allowed to access it. Eg you might want to add Entel IP addresses 82.24.250.129/32, 217.45.177.215/32 and 86.188.177.18/32 so that any of the Entel Support Team can help you with the server.