En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation

Why is Lightsail Firewall setting on IPV4/IPV6 allowing SSH attempts on unexposed ports ?

0

Only Few Ports Allowed

I've got the lightsail firewall configured to only allow a few ports, IPV4 and IPV6 are both configured the same... When I check the auth.log I see a large amount of SSH login attempts

ubuntu command: grep "preauth" /var/log/auth.log

Mar 6 12:41:40 ip-172-xx-x-xx sshd[8716]: Invalid user hanif from 188.166.225.37 port 39174 Mar 6 12:41:40 ip-172-xx-x-xx sshd[8716]: Received disconnect from 188.166.225.37 port 39174:11: Bye Bye [preauth] Mar 6 12:41:40 ip-172-xx-x-xx sshd[8716]: Disconnected from invalid user hanif 188.166.225.37 port 39174 [preauth] Mar 6 12:43:15 ip-172-xx-x-xx sshd[8724]: Invalid user mona from 188.166.225.37 port 41464 Mar 6 12:43:15 ip-172-xx-x-xx sshd[8724]: Received disconnect from 188.166.225.37 port 41464:11: Bye Bye [preauth]

From: https://lightsail.aws.amazon.com/ls/docs/en_us/articles/understanding-firewall-and-port-mappings-in-amazon-lightsail Firewall rules affect only traffic that flows in through the public IP address of an instance. It does not affect traffic that flows in through the private IP address of an instance, which can originate from Lightsail resources in your account, in the same AWS Region, or resources in a peered virtual private cloud (VPC), in the same AWS Region.

But this IP 188.166.225.37 belongs to Digital Ocean out of Singapore.

I'm confused as to how these attempts are even hitting the instance.... Anyone have any thoughts on this ?

1 réponse
0

Hi

I would suggest to restrict the ports to the specific IP adress instead you open to world 0.0.0.0/0, So check the info from the link you have posted. I assume someone is trying to ssh into your server with random ports

Specifying source IP addresses

By default, firewall rules allow all IP addresses to connect to your instance through the specified protocol and port. This is ideal for traffic such as web browsers over HTTP and HTTPS. However, this poses a security risk for traffic such as SSH and RDP, since you would not want to allow all IP addresses to be able to connect to your instance using those applications. For that reason, you can choose to restrict a firewall rule to an IPv4 or IPv6 address or range of IP addresses.

For the IPv4 firewall - You can specify a single IPv4 address (for example, 203.0.113.1), or a range of IPv4 addresses. In the Lightsail console, the range can be specified using a dash (for example, 192.0.2.0-192.0.2.255) or in CIDR block notation (for example, 192.0.2.0/24). For more information about CIDR block notation, see Classless Inter-Domain Routing on Wikipedia.

For the IPv6 firewall - You can specify a single IPv6 address (for example, 2001:0db8:85a3:0000:0000:8a2e:0370:7334), or a range of IPv6 addresses. In the Lightsail console, the IPv6 range can be specified using only CIDR block notation (for example, 2001:db8::/32). For more information about IPv6 CIDR block notation, see IPv6 CIDR blocks on Wikipedia.

profile picture
EXPERT
répondu il y a 2 ans
  • Agreed to some minor extent, however the problem is that ports which are not listed are being allowed to connect to the instance..

  • Mar 6 12:41:40 ip-172-xx-x-xx sshd[8716]: Invalid user hanif from 188.166.225.37 port 39174 Mar 6 12:41:40 ip-172-xx-x-xx sshd[8716]: Received disconnect from 188.166.225.37 port 39174 so here we see port 39174 tried to connect... That port range is not from what I can see exposed as I have 21, 22, 80, and 28960-28965 listed. So what I am trying to determine is why is 39174 being allowed to connect to the machine ? And what steps would I take to prevent that from being allowed ?

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions