我启动了一个linux实例,并执行了以下操作。
- 只有22个、80个和8080个端口被打开;"无处不在";作为入站规则
- 只有git、ruby、ruby-dev、apache和youtrack是仅从其原始源安装的,或者使用";百胜安装"命令
- 允许对连接执行SSH密码验证
- 我创建了一些用户
然而,我们收到了以下邮件。
Dear Amazon EC2 Customer,
We've received a report that your instance(s):
Instance Id: i-******
IP Address: 52.33.***.***
has been making illegal intrusion attempts against remote hosts on the Internet; check the information provided below by the abuse reporter.
Host Intrusion is specifically forbidden in our User Agreement: http://aws.amazon.com/agreement/
Please immediately restrict the flow of traffic from your instances(s) to cease disruption to other networks and reply this email to send your reply of action to the original abuse reporter. This will activate a flag in our ticketing system, letting us know that you have acknowledged receipt of this email.
It's possible that your environment has been compromised by an external attacker. It remains your responsibility to ensure that your instances and all applications are secured. The link http://developer.amazonwebservices.com/connect/entry.jspa?externalID=1233
provides some suggestions for securing your instances.
Case number: ************-1
Additional abuse report information provided by original abuse reporter:
* Destination IPs:
* Destination Ports:
* Destination URLs:
* Abuse Time: Fri Nov 13 13:28:00 UTC 2015
* Log Extract:
<<<
2015-11-13 05:28:10.279 52.33.***.*** 40806 ***.***.193.0 22 ....S. 6 3
2015-11-13 05:28:17.495 52.33.***.*** 40806 ***.***.193.0 22 ....S. 6 1
2015-11-13 05:28:20.018 52.33.***.*** 49968 ***.***.193.1 22 ....S. 6 3
2015-11-13 05:28:27.378 52.33.***.*** 49968 ***.***.193.1 22 ....S. 6 1
2015-11-13 05:28:29.998 52.33.***.*** 36185 ***.***.193.2 22 ....S. 6 1
2015-11-13 05:28:30.999 52.33.***.*** 36185 ***.***.193.2 22 ....S. 6 1
2015-11-13 05:28:32.999 52.33.***.*** 36185 ***.***.193.2 22 ....S. 6 1
2015-11-13 05:28:36.999 52.33.***.*** 36185 ***.***.193.2 22 ....S. 6 1
2015-11-13 05:28:40.246 52.33.***.*** 59503 ***.***.193.3 22 ....S. 6 2
2015-11-13 05:28:43.471 52.33.***.*** 59503 ***.***.193.3 22 ....S. 6 1
2015-11-13 05:28:47.517 52.33.***.*** 59503 ***.***.193.3 22 ....S. 6 1
2015-11-13 05:28:50.070 52.33.***.*** 48731 ***.***.193.4 22 ....S. 6 3
2015-11-13 05:28:57.589 52.33.***.*** 48731 ***.***.193.4 22 ....S. 6 1
2015-11-13 05:28:59.967 52.33.***.*** 58537 ***.***.193.5 22 .A.RS. 6 3
2015-11-13 05:28:59.921 52.33.***.*** 58647 ***.***.193.5 22 .APRS. 6 12
2015-11-13 05:29:01.999 52.33.***.*** 58647 ***.***.193.5 22 ...R.. 6 1
2015-11-13 05:29:01.968 52.33.***.*** 59568 ***.***.193.5 22 .APRS. 6 12
2015-11-13 05:29:03.970 52.33.***.*** 59568 ***.***.193.5 22 ...R.. 6 1
2015-11-13 05:29:04.007 52.33.***.*** 60527 ***.***.193.5 22 .APRS. 6 12
2015-11-13 05:29:05.999 52.33.***.*** 60527 ***.***.193.5 22 ...R.. 6 1
限制端口到特定的IP地址不是我们的选择。
如何检查SSH端口22上的流量日志?
你有什么建议?我该怎么办?
既然它是一台新主机,而且我的电脑上没有恶意软件,我不相信它被入侵了?
怎么会有人入侵我的服务器?这会是一份错误发送的虐待报告吗?
谢谢你,
您的实例可能已包含在内。由于打开实例进行密码验证,或者安装了一个存在安全问题的应用程序,攻击者可以在您的实例上安装恶意软件。
一个新的实例真的很快就会被破坏。有人一直在扫描IP地址以查找漏洞。
为了确保SSH的安全,您应该只使用密钥身份验证,如果可能的话,可以使用对某些IP地址的白名单访问。