How do I use GuardDuty to identify SSH brute force attacks on Linux instances?

Short description

Attacks can occur because a rule with Type SSH allows connections from all sources (0.0.0.0/0) over Port Range 22. If you allow 0.0.0.0/0 over Port Range 22, then you introduce a security risk.

Typically these attacks come from bots that are looking for EC2 instances that they can gain access to through intrusion. To mitigate the risk of intrusion, restrict SSH access. It's a best practice to configure security groups to allow SSH access only from specific sources that you own, such as from bastion hosts.

Resolution

To troubleshoot an EC2 instance under an SSH brute force attack, complete the following steps:

1. Open the Amazon EC2 console.
2. Open the GuardDuty console in a new tab.
3. From the Amazon EC2 console, choose Security Groups, select your security group, and then choose the Inbound tab.
4. In the navigation pane, choose Instances, and then open the instances pane in a new tab.
5. Select your instance, and then copy the Instance ID.
6. From the GuardDuty console, choose Add filter criteria, and then choose Instance ID.
7. Paste the Instance ID into the search box, and then choose Apply.
8. In Finding Type, choose the most recent findings as noted in the Last seen column. If GuardDuty detects a brute force attack on port 22, then UnauthorizedAccess:EC2/SSHBruteForce is generated for this instance.
9. Scroll to the Actor section, and then copy the source IP address of the attack.
10. Open the terminal on the EC2 Linux instance, open the /var/log/secure directory, and then open the secure file.
    Note: The secure file contains the SSH login that is applicable for Linux-based instances.
11. Enter the source IP address from step 9.
    Note: Amazon Linux Amazon Machine Image (AMI) SSH logs contain all the authentication attempts to connect to the instance.
12. To check whether the security group is unrestricted, open the AWS Config console and choose Rules. Then, choose Add rule, and enter restricted in the search box.
13. Choose restricted-ssh, and then choose Save.
    Note: The restricted-ssh rule checks for security groups that don't allow unrestricted incoming SSH traffic.
14. In Rule name under the Compliance field, wait for the restricted-ssh rule to change from Evaluating to noncompliant resource(s). You can also choose the refresh icon.
15. To view the noncompliant security groups, choose restricted-ssh.
16. In Manage resource, choose a noncompliant security group, and then choose the Inbound tab.

If the security group is noncompliant because the group allows SSH connections from all sources, then configure your security group to restrict SSH traffic.

For more information, see Remediating a potentially compromised Amazon EC2 instance.

Note: Use Amazon CloudWatch to review the Linux logs. For more information, see Quick start: install and configure the CloudWatch Logs agent on a running EC2 Linux instance.

Related information

Amazon GuardDuty - continuous security monitoring & threat detection

How to manage Amazon GuardDuty security findings across multiple accounts