我的 EC2 執行個體報告有可疑活動,我收到了以下電子郵件:
涉及類似掃描網際網路上的遠端主機是否有安全漏洞的活動。 AWS 可接受使用政策 (https://aws.amazon.com/aup/)。我們在下面提供了原始報告供您審閱。
請採取措施停止所報告的活動,並直接回覆此電子郵件,詳細說明您已採取的糾正措施。如果您不認為這些報告中描述的活動屬於濫用行為,請回覆此電子郵件並提供您的用例詳細資訊。
如果您不知道此活動,則您的環境可能已受到外部攻擊者的破壞,或者存在漏洞允許您的電腦以非預期的方式使用。
我不知道如何檢查發生了什麼。我更改了 root 密碼,但仍然收到相同的活動報告。
下面是日誌:
Full logs:
(time in UTC)=2020-12-08T23:59:13 (attacker's IP)=myip (IP being scanned)=91^208^184^50 (TCP port being scanned)=523
(time in UTC)=2020-12-08T23:59:21 (attacker's IP)=myip (IP being scanned)=78^128^99^30 (TCP port being scanned)=2025
(time in UTC)=2020-12-08T23:59:28 (attacker's IP)=myip (IP being scanned)=140^238^172^100 (TCP port being scanned)=841
(time in UTC)=2020-12-08T23:59:42 (attacker's IP)=myip (IP being scanned)=219^91^85^19 (TCP port being scanned)=10699
(time in UTC)=2020-12-08T23:59:54 (attacker's IP)=myip (IP being scanned)=78^128^99^30 (TCP port being scanned)=1298
(time in UTC)=2020-12-09T23:57:40 (attacker's IP)=myip (IP being scanned)=219^91^85^19 (TCP port being scanned)=313
(time in UTC)=2020-12-09T23:57:43 (attacker's IP)=myip (IP being scanned)=219^91^62^21 (TCP port being scanned)=21735
(time in UTC)=2020-12-09T23:57:43 (attacker's IP)=myip (IP being scanned)=91^203^192^19 (TCP port being scanned)=984
(time in UTC)=2020-12-09T23:57:52 (attacker's IP)=myip (IP being scanned)=185^178^44^132 (TCP port being scanned)=18263
(time in UTC)=2020-12-09T23:57:53 (attacker's IP)=myip (IP being scanned)=140^238^172^100 (TCP port being scanned)=1389
另一個日誌:
Logs:
------------------------------------------------------------------------
Dec 9 01:01:55 kmh-wmh-003-nbg03 sshd[698]: Invalid user test from myip port 44682
Dec 9 01:01:55 kmh-wmh-003-nbg03 sshd[698]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=myip
Dec 9 01:01:57 kmh-wmh-003-nbg03 sshd[698]: Failed password for invalid user test from myip port 44682 ssh2
Dec 9 01:01:57 kmh-wmh-003-nbg03 sshd[698]: Received disconnect from myip port 44682:11: Bye Bye [preauth]
Dec 9 01:01:57 kmh-wmh-003-nbg03 sshd[698]: Disconnected from myip port 44682 [preauth]
Dec 9 01:18:16 kmh-wmh-003-nbg03 sshd[2480]: Invalid user pppuser from myip port 41660
Dec 9 01:18:16 kmh-wmh-003-nbg03 sshd[2480]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=myip
Dec 9 01:18:17 kmh-wmh-003-nbg03 sshd[2480]: Failed password for invalid user pppuser from myip port 41660 ssh2
Dec 9 01:18:17 kmh-wmh-003-nbg03 sshd[2480]: Received disconnect from myip port 41660:11: Bye Bye [preauth]
Dec 9 01:18:17 kmh-wmh-003-nbg03 sshd[2480]: Disconnected from myip port 41660 [preauth]
Dec 9 01:21:25 kmh-wmh-003-nbg03 sshd[2792]: Invalid user master from myip port 38852
Dec 9 01:21:25 kmh-wmh-003-nbg03 sshd[2792]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=myip
因為我從不使用我的實例連接到 ssh,所以我只想阻止來自任何用戶和任何應用程式/進程的所有傳出 SSH 流量。怎麼做?
也許我可以使用 iptables 阻止所有到連接埠 22 的傳出流量,但不是所有使用連接埠 22 的 ssh,對吧?還有其他有效的方法嗎?
答案1
它不是那麼容易。如果您的伺服器遭到破壞,您必須進行調查。
首先,封鎖所有傳入的流量,但您的服務(例如連接埠 80 和 443)除外 封鎖從任何來源存取 ssh,但您的服務除外。
其次,我建議開始安裝並執行 clamav、chkrootkit 和 rkhunter 等軟體。這些軟體可以掃描您的電腦並識別一些眾所周知的漏洞。
三、查看所有運行進程、日誌等
第四,對你的機器應用一些強化技術
答案2
檢查您的“安全群組”,如果您有連接埠 22/SSH 服務的入站規則,請將其刪除。
你從來不做 ssh 那麼你正在運行什麼服務?