我的 EC2 实例报告有可疑活动,我收到了以下电子邮件:
涉嫌参与类似于在互联网上扫描远程主机以查找安全漏洞的活动。AWS 可接受使用政策 (https://aws.amazon.com/aup/)我们已将原始报告附在下面,供您查阅。
请采取措施停止所报告的活动,并直接回复此电子邮件,详细说明您已采取的纠正措施。如果您认为这些报告中描述的活动不属于滥用行为,请回复此电子邮件,详细说明您的使用案例。
如果您不知道此活动,则您的环境可能已被外部攻击者入侵,或者存在漏洞,允许您的机器以非预期的方式被使用。
我不知道如何检查发生了什么。我更改了 root 密码,但仍然收到相同的活动报告。
以下是日志:
Full logs:
(time in UTC)=2020-12-08T23:59:13 (attacker's IP)=myip (IP being scanned)=91^208^184^50 (TCP port being scanned)=523
(time in UTC)=2020-12-08T23:59:21 (attacker's IP)=myip (IP being scanned)=78^128^99^30 (TCP port being scanned)=2025
(time in UTC)=2020-12-08T23:59:28 (attacker's IP)=myip (IP being scanned)=140^238^172^100 (TCP port being scanned)=841
(time in UTC)=2020-12-08T23:59:42 (attacker's IP)=myip (IP being scanned)=219^91^85^19 (TCP port being scanned)=10699
(time in UTC)=2020-12-08T23:59:54 (attacker's IP)=myip (IP being scanned)=78^128^99^30 (TCP port being scanned)=1298
(time in UTC)=2020-12-09T23:57:40 (attacker's IP)=myip (IP being scanned)=219^91^85^19 (TCP port being scanned)=313
(time in UTC)=2020-12-09T23:57:43 (attacker's IP)=myip (IP being scanned)=219^91^62^21 (TCP port being scanned)=21735
(time in UTC)=2020-12-09T23:57:43 (attacker's IP)=myip (IP being scanned)=91^203^192^19 (TCP port being scanned)=984
(time in UTC)=2020-12-09T23:57:52 (attacker's IP)=myip (IP being scanned)=185^178^44^132 (TCP port being scanned)=18263
(time in UTC)=2020-12-09T23:57:53 (attacker's IP)=myip (IP being scanned)=140^238^172^100 (TCP port being scanned)=1389
另一份日志:
Logs:
------------------------------------------------------------------------
Dec 9 01:01:55 kmh-wmh-003-nbg03 sshd[698]: Invalid user test from myip port 44682
Dec 9 01:01:55 kmh-wmh-003-nbg03 sshd[698]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=myip
Dec 9 01:01:57 kmh-wmh-003-nbg03 sshd[698]: Failed password for invalid user test from myip port 44682 ssh2
Dec 9 01:01:57 kmh-wmh-003-nbg03 sshd[698]: Received disconnect from myip port 44682:11: Bye Bye [preauth]
Dec 9 01:01:57 kmh-wmh-003-nbg03 sshd[698]: Disconnected from myip port 44682 [preauth]
Dec 9 01:18:16 kmh-wmh-003-nbg03 sshd[2480]: Invalid user pppuser from myip port 41660
Dec 9 01:18:16 kmh-wmh-003-nbg03 sshd[2480]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=myip
Dec 9 01:18:17 kmh-wmh-003-nbg03 sshd[2480]: Failed password for invalid user pppuser from myip port 41660 ssh2
Dec 9 01:18:17 kmh-wmh-003-nbg03 sshd[2480]: Received disconnect from myip port 41660:11: Bye Bye [preauth]
Dec 9 01:18:17 kmh-wmh-003-nbg03 sshd[2480]: Disconnected from myip port 41660 [preauth]
Dec 9 01:21:25 kmh-wmh-003-nbg03 sshd[2792]: Invalid user master from myip port 38852
Dec 9 01:21:25 kmh-wmh-003-nbg03 sshd[2792]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=myip
因为我从不使用我的实例连接到 ssh,所以我只想阻止来自任何用户和任何应用程序/进程的所有传出 SSH 流量。如何做到这一点?
也许我可以使用 iptables 阻止所有到端口 22 的传出流量,但不能阻止所有使用端口 22 的 ssh,对吗?还有其他有效的方法吗?
答案1
事情没那么简单。如果你的服务器被入侵了,你就得调查。
首先,阻止所有传入流量,但您的服务(例如,端口 80 和 443)阻止来自任何来源的 ssh 访问,但您的。
其次,我建议开始安装和运行 clamav、chkrootkit 和 rkhunter 等软件。这些软件可以扫描你的机器并识别几个众所周知的漏洞。
三、查看所有正在运行的进程、日志等
第四,对你的机器应用一些强化技术
答案2
检查您的“安全组”,如果有端口 22/SSH 服务的入站规则,请将其删除。
如果您从不执行 ssh,那么您运行的是哪些服务?