Passer au contenu
En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post
À propos de re:Post

Guardduty alerts for recon - false positive?

0

I received an alert last week from Guardduty saying that "An EC2 instance has an unprotected port which is being probed by a known malicious host." We have double and triple checked security groups- by myself and 2 other AWS admins. We have tried to access the supposed exposed port directly and tried port scans on the public IP from multiple hosts- all report the port is closed and AWS security group controls are working perfectly. How can I determine WHY Guardduty alerted on this port probe because ALL indicators are that my EC2 instance is locked tight. I find ZERO evidence this port is exposed.

Sujets
Réseaux et diffusion de contenuSécurité, identité et conformitéFramework AWS Well-Architected
Balises
Groupe de sécuritéAmazon GuardDutySécurité
Langue
English
demandé il y a un an1,2 k vues
3 réponses
0
Réponse acceptée

Talked to one of the developers- they were doing some testing and the security groups i saw when reviewing the alert were different than the security groups at the time the alert occurred.

répondu il y a un an
0

Hello,

Refer this documentation on how to remediate the finding Recon:EC2/PortProbeUnprotectedPort, https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portprobeunprotectedport_description

https://repost.aws/knowledge-center/resolve-guardduty-unprotectedport-alerts

You can ignore the finding if you're sure that the EC2 instance is secure.

EXPERT
répondu il y a un an
0

I'm reasonably sure that GuardDuty is correct in reporting the finding. It simply inspects your VPC flow logs and looks for repeated connections to ports other than ordinarily needed ones (like tcp/443) and reports if it observes matching traffic passing through. There must be a security group that's permitting the traffic flow the GuardDuty finding is showing.

Does your EC2 instance perhaps have multiple network interfaces? Security groups are attached separately to each ENI, despite a single set of them appearing in the instance properties, so one interface could have a security group attached that permits traffic while another interface wouldn't.

Or, could traffic be entering through a Network Load Balancer (NLB), and instead of the attacker's public IP address being permitted in the security group rules of your EC2 instance, the NLB's security group would allow it, and the security group of the EC2 instance would allow traffic from the NLB's security group?

EXPERT
répondu il y a un an

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Contenus pertinents