Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!
Why did I receive the GuardDuty finding type alert "Recon:EC2/PortProbeUnprotectedPort" for my Amazon EC2 instance?
I want to troubleshoot the "Recon:EC2/PortProbeUnprotectedPort" finding type that Amazon GuardDuty detected for my Amazon Elastic Compute Cloud (Amazon EC2) instance.
Resolution
You receive the Recon:EC2/PortProbeUnprotectedPort GuardDuty finding type because an EC2 instance has an unprotected port that a malicious host is probing.
Use the GuardDuty console to get the port number for the finding.
Then, use the following best practices to protect the port or remove inbound rules:
- If the port is 22 for Linux or port 3389 for Windows, then configure your security group rules to restrict access.
- If the port is 80 or 443 and you must keep these ports open, then put the EC2 instance behind a load balancer.
- If an application isn't running on the port and the port can remain closed, then delete the inbound rule for the instance security group.
If you don't need to protect the port, then ignore the Recon:EC2/PortProbeUnprotectedPort finding type.
Related information
Creating custom responses to GuardDuty findings with Amazon CloudWatch Events
Relevant content
- asked 2 years ago
- asked 10 months ago
- asked 4 years ago
