1

I have recently installed OSSEC on a RHEL 8 server being hosted on AWS EC2. Since then I have been receiving brute force attempts and other attempts on ports that are not open in my security group.

How are users able to get to my server at all when these ports are not open in the security group for the EC2 instance, and how do I stop them from reaching the server at all?

Example report:

OSSEC HIDS Notification. 2020 Oct 18 20:45:33

Received From: shared->/var/log/secure Rule: 5712 fired (level 10) -> "SSHD brute force trying to get access to the system." Src IP: 46.101.209.127 Portion of the log(s):

Oct 18 20:45:32 shared sshd[3097608]: Disconnected from invalid user pi 46.101.209.127 port 49568 [preauth] Oct 18 20:45:32 shared sshd[3097608]: Invalid user pi from 46.101.209.127 port 49568 Oct 18 20:45:12 shared sshd[3097603]: Disconnected from invalid user admin 46.101.209.127 port 58720 [preauth] Oct 18 20:45:12 shared sshd[3097603]: Invalid user admin from 46.101.209.127 port 58720 Oct 18 20:44:51 shared sshd[3097591]: Disconnected from invalid user admin 46.101.209.127 port 39802 [preauth] Oct 18 20:44:50 shared sshd[3097591]: Invalid user admin from 46.101.209.127 port 39802 Oct 18 20:44:30 shared sshd[3097582]: Disconnected from invalid user admin 46.101.209.127 port 49134 [preauth] Oct 18 20:44:30 shared sshd[3097582]: Invalid user admin from 46.101.209.127 port 49134

--END OF NOTIFICATION

Security Group Inbound Rules

EC2 with Security Group

James
  • 113
  • 1
  • 8

1 Answers1

4

Either:

  1. The Security Group is misconfigured and actually allows this traffic, or
  2. The Security Group attached to your instance is not the one you think it should be.

Fix one or the other and the problem will go away.

If you need more help with that update your question with a screenshot of the inbound rules of your SG and with a screenshot of your instance config showing the SG name.

Update

  1. The ports you’re seeing in the log are the remote ports from which the attacker connects to you port 22.

  2. Your security groups are way too open. Open only ports 80 and 443 to the world, all other ports must be restricted to you home or office IPs or you’ll be back very soon with a question how to recover hacked instance.

    Or, better, set up a small VPN instance and only access your private ports (mysql, ssh, ftp, ...) over vpn. However that’s a little more work.

Hope that helps :)

MLu
  • 24,849
  • 5
  • 59
  • 86
  • Thanks for the reply. Unfortunately this is not the case as that would definitely have been an easy fix. I've updated my question with my security group and rules. – James Oct 20 '20 at 13:53
  • @James I believe assumption 1 from this answer applies: The screenshot you have posted display a SG which allows ssh. – Henrik Pingel Oct 20 '20 at 14:04
  • @HenrikPingel Yes, I allow SSH but the errors I am getting say that it is on ports that are blocked such as `49568`. Or am I just reading the error message incorrectly? – James Oct 20 '20 at 17:24
  • 1
    @James the ports mentioned in the logs are the *remote* ports *from* which the attacker connect to your port 22. Don’t leave SSH/22 open to the world, restrict it to your home/work IP and the problem will go away. – MLu Oct 20 '20 at 18:25
  • @MLu Okay I see now. I thought it meant that was my port that they were connecting to. Thanks for the clarification. – James Oct 20 '20 at 18:27
  • @James updated with some more info. – MLu Oct 20 '20 at 18:50