If you're experiencing issues with your AWS services, then please refer to the AWS Health Dashboard. You can find the overall status of ongoing outages, the health of AWS services, and the latest updates from AWS engineers.
Why did I receive the GuardDuty finding type alert "Recon:EC2/PortProbeUnprotectedPort" for my Amazon EC2 instance?
I want to troubleshoot the "Recon:EC2/PortProbeUnprotectedPort" finding type that Amazon GuardDuty detected for my Amazon Elastic Compute Cloud (Amazon EC2) instance.
Resolution
You receive the Recon:EC2/PortProbeUnprotectedPort GuardDuty finding type because an EC2 instance has an unprotected port that a malicious host is probing.
Use the GuardDuty console to get the port number for the finding.
Then, use the following best practices to protect the port or remove inbound rules:
- If the port is 22 for Linux or port 3389 for Windows, then configure your security group rules to restrict access.
- If the port is 80 or 443 and you must keep these ports open, then put the EC2 instance behind a load balancer.
- If an application isn't running on the port and the port can remain closed, then delete the inbound rule for the instance security group.
If you don't need to protect the port, then ignore the Recon:EC2/PortProbeUnprotectedPort finding type.
Related information
Creating custom responses to GuardDuty findings with Amazon CloudWatch Events
- Tags
- Amazon GuardDuty
- Language
- English
Relevant content
- asked 3 years ago
- asked 2 years ago
- asked 3 months ago
