How to whitelist IPs on AWS, DigitalOcean, and Cloudflare
One of the first things that we ask from our users after they create their Hackmetrix account is to whitelist our IP addresses in their firewall rules.
Because Hackmetrix simulates attacks on your site or app in order to report vulnerabilities and show you how to fix them, it works best if your firewall lets us do our thing.
Now, since we’ve gotten a few questions as to how and why do this, we wrote this article to explain what whitelisting means, and the step by step instructions to do it in 3 of the most popular services for developers: AWS, DigitalOcean, and Cloudflare.
Let’s dive in!
What is the Whitelisting?
First things first: IP whitelisting doesn’t mean you’ll turn off your firewall. A firewall whitelist is a set of configurations that let you specify which IPs can have access to your platform, allowing even suspicious behavior, but keeping your security configurations with any other addresses that are not on that whitelist.
Why do I have to whitelist Hackmetrix?
As I mentioned before, because we need to allow “suspicious behavior”. If you are trying to use Hackmetrix to test your website, we are that suspicious behavior that you need allow behind your firewall, and you will need to whitelist our IP.
But what if I don’t want to do it?
Then the results you’ll get on your report could be off — by a lot. After a few attacks, the firewall will see our server as a threat and it will start to block the attacks. This makes it very hard for a scan to be completed, and might even force Hackmetrix to increase the time between requests by so much that the scan might never end.
Additionally, firewalls are not a vulnerability fixer. Firewalls are a measure to mitigate attacks, and they don’t guarantee that your application code is safe, nor your application structure. Because of this, if an attacker finds a way to bypass your firewall/WAF, the platform will stay vulnerable through all the security issues that weren’t detected and fixed — even after you go live.
How can I whitelist?
How to do this can vary depending on your firewall, but you can find help on how to whitelist IPs for some of the most common ones in the following list.
The first screen you’ll see immediately after you login will be the home screen. This view shows the websites you have protected with Cloudflare, select the site on which you want whitelist the IP address.
Now you have to look for the Firewall option in the top horizontal list. Once in the Firewall settings scroll down and you will find yourself in a subsection called IP Firewall, this section has the Access Rules that will allow you to whitelist. Here you will have an Access Rules Search followed by the three fields we need: in the first field (text) we need to specify the host/IP or range of hosts/IPs that we want allow. The second field (dropdown) is the action that we want to execute over the host we have wrote, in this case, Whitelist. And the third field, a dropdown too, allows us to run this rule in all our websites under Cloudflare, or only in the website the configurations are. We can also find a fourth option, this is not important but allows us to leave a message or identifier. Finally click the Add button.
So, in conclusion:
- Go to the website in whitelist an IP
- Go to the Firewall option
- Scroll down to Access Rules
- Add the IP/Host to whitelist, select the Whitelist option and de domain over which the rule will have effect.
- Click Add
Ok, finding the correct settings to configure here can be a bit complicated, so hopefully these instructions are clear.
Once we are inside the application we need to go to the EC2 service section, we can find it by clicking in the Services dropdown located at the right top menu.
In the EC2 Dashboard we’ll find a whole lot of settings, but we are looking for the Security Groups option, which we can find in the Network & Security section in left menu. Security Groups act as a virtual firewall that control traffic for one or more instances. This panel will allows us to create different kinds of rules for how each instance should behave against generic or specific requests, in other words, this item will allow us to whitelist IPs. This screen shows a button to Create Security Group, click that and you’ll see a new modal window to set the Security Group information (name, description, VPC) and its rules. These rules will be what define the whitelisting.
Finally, we need to go to the Inbound tab and set the first Type dropdown under All traffic. Right away we can see how the two following fields –Protocol and Port Range– are automatically filled out with All and 0–65535 to cover the whole network. Next, we’ll set the Source dropdown under Custom and set the IP/host to whitelist in the text box. To finalice we can add a description as a guide of the rule and at last we click on Createbutton.
Congratulations! We have created our whitelist rule
But, which EC2 instance is working on? We still have to set our new Security Group to an EC2 instance, so, from where we are, we will go to the EC2 Dashboard and click on Running Instances. Once there select the instance on which we want the rule to run, and click the Actions dropdown. You’ll now see a Networking submenu with the Change Security Groups option, click on it. A modal window should pop up containing a Security Groups list, find the one you just created and select it, after that click on Assign Security Groups.
There, you’ve successfully whitelisted an IP on AWS!
To sum up:
- Go to EC2
- Go to Security Groups in the left menu
- Click on Create Security Group
- Set the group information
- In the Inbound tab click on Add Rule button
- Set Type in All traffic, Source in Custom, and the IP/host to whitelist in the text box
- Add a description if you want and click the Create button
- Go to the EC2 Dashboard
- Go to Running Instances
- Select the instance on which the rule should run
- Go to the Actions dropdown, Networking, Change Security Groups
- Look for your Security Group and select it
- Click on Assign Security Group
Ok, this case is fortunately easier than before. Once we have logged in into the DigitalOcean panel, we can see a left menu with a Manage submenu, click that and you’ll see a Droplets option. Go to Droplets and you will see a list with your DigitalOcean’s instances, select the droplet where you want to whitelist the IP address.
Inside the Droplets section you will find a secondary menu before the main menu on the left, there you will find the Networking option, click on it. Scroll down to the bottom and you’ll see a small section titled Firewallswith a button that says Manage Firewalls. If you click this button you will go to the Firewalls subsection on the Networking page, here you can find another button that says Create Firewall and a list with all the firewalls already up.
At this point, two options exist: edit one of those firewall, or create one. In both of them, the steps are same, so, click the firewall that is acting over the droplet where you want to whitelist, or if you want to create a new one to do this, click on Create Firewall (with this option you will have to give the firewall a name).
What we are going to do now is to create a new Inbound Rule (you got it, under the Inbound Rules section), so to do this we need find the New Ruledropdown. In it you’ll find two options: All TCP and All UDP. Because these options are independent, to enable both of them we will have to create two different rules, one for each option. All the other information will be the same.
So, select one of these options under the New Rule dropdown. In the Sources text box, we will find two cards: All IPv4 and All IPv6, delete them and write the IP/host you need to whitelist. To finish, if you are editing an existing firewall, click on Save button next to the text box. If you are creating a new firewall then at the end of the page, in the Apply to Droplets section, you’ll need to specify the droplet over which the firewall will act. After doing this click on the Create Firewall button at the page bottom. You’re done!
- Go to Droplets section in the left menu
- Select the droplet where you want to whitelist the IP address
- Go to Networking
- Scroll down and click the Manage Firewalls button
- If you want to edit an existing firewall:
- Select the firewall to edit from the list
- In Inbound Rules section, select All UDP/All TCP (create a rule for each one) in the New Rule dropdown
- Delete the cards All IPv4 and All IPv6 from the Sources text box and write the IP/host you want to whitelist
- Click on the Save button next to the Sources box
- If you want to create a new firewall:
- Click Create Firewall
- Set a name
- In the Inbound Rules section, select All UDP/All TCP (create a rule for each one) in the New Rule dropdown
- Delete the cards All IPv4 and All IPv6 from Sources text box and write the IP/host you want to whitelist
- Select the droplet where you want to the rule to act
- Click Create Firewall at the bottom of the page
Great! So now you know how to whitelist any IP in your firewall rules, and why it might me convenient to do so. If you have a Hackmetrix account and you followed this process with our addresses, this means that we can now show you even better results on the potential vulnerabilities on your site or app. Don’t have an account yet? You can make one and try out our free plan, you’ll get a free scan every month, with a detailed report on every security flaw found on your site and tips on how to fix them.