2

I lost access to my instance which I host on AWS. Keypairing stopped to work. I detached a volume and attached it to a new instance and what I found in logs was a long list of

Nov  6 20:15:32 domU-12-31-39-01-7E-8A sshd[4925]: Invalid user cyrus from 210.193.52.113
Nov  6 20:15:32 domU-12-31-39-01-7E-8A sshd[4925]: input_userauth_request: invalid user cyrus [preauth]
Nov  6 20:15:33 domU-12-31-39-01-7E-8A sshd[4925]: Received disconnect from 210.193.52.113: 11: Bye Bye [preauth]

Where "cyrus" is changed by hundreds if not thousands of common names and items. What could this be? Brute force attack or something else malicious? I traced IP to Singapore, and I have no connection to Singapore.

May thought is that this was a DoS attack since I lost access and server seemed to stop working. Im not to versed on this, but ideas and solutions for this issue are welcome.

rodling
  • 121
  • 1
  • 6
  • 1
    Yes, it's malicious. Change the port for sshd to something other than 22. Install fail2ban (be sure to configure the jail so it's watching your new sshd port). Set up iptables rules to block traffic on everything except necessary ports, and completely block the IP you noticed in the logs. Take a close look and verify the box didn't get owned, hopefully you use complex/long passwords and non-default usernames? – jlehtinen Nov 08 '13 at 21:24
  • http://serverfault.com/questions/244614/is-it-normal-to-get-hundreds-of-break-in-attempts-per-day This is just a part of being on the internet. – user9517 Nov 08 '13 at 22:05

1 Answers1

1

since you are on AWS, the easy way to prevent the internet from hitting sshd on your box is to deny tcp/22 in your instance secgroup, and add to the secgroup the few /32's that actually need to connect.

ec2-revoke [secgroup] -P tcp -p 22 -s 0.0.0.0/0
ec2-authorize [secgroup] -P tcp -p 22 -s [your-ip-addr]/32

(you can also do this thru aws gui, but its a pain)

as a second layer of security, you can do the same with iptables on host as mentioned in thread.

by doing either or both of these, tcp/22 wont be open to the internet, and your logs wont flood.

nandoP
  • 2,021
  • 14
  • 15