AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관

Why is Lightsail Firewall setting on IPV4/IPV6 allowing SSH attempts on unexposed ports ?

0

Only Few Ports Allowed

I've got the lightsail firewall configured to only allow a few ports, IPV4 and IPV6 are both configured the same... When I check the auth.log I see a large amount of SSH login attempts

ubuntu command: grep "preauth" /var/log/auth.log

Mar 6 12:41:40 ip-172-xx-x-xx sshd[8716]: Invalid user hanif from 188.166.225.37 port 39174 Mar 6 12:41:40 ip-172-xx-x-xx sshd[8716]: Received disconnect from 188.166.225.37 port 39174:11: Bye Bye [preauth] Mar 6 12:41:40 ip-172-xx-x-xx sshd[8716]: Disconnected from invalid user hanif 188.166.225.37 port 39174 [preauth] Mar 6 12:43:15 ip-172-xx-x-xx sshd[8724]: Invalid user mona from 188.166.225.37 port 41464 Mar 6 12:43:15 ip-172-xx-x-xx sshd[8724]: Received disconnect from 188.166.225.37 port 41464:11: Bye Bye [preauth]

From: https://lightsail.aws.amazon.com/ls/docs/en_us/articles/understanding-firewall-and-port-mappings-in-amazon-lightsail Firewall rules affect only traffic that flows in through the public IP address of an instance. It does not affect traffic that flows in through the private IP address of an instance, which can originate from Lightsail resources in your account, in the same AWS Region, or resources in a peered virtual private cloud (VPC), in the same AWS Region.

But this IP 188.166.225.37 belongs to Digital Ocean out of Singapore.

I'm confused as to how these attempts are even hitting the instance.... Anyone have any thoughts on this ?

1개 답변
0

Hi

I would suggest to restrict the ports to the specific IP adress instead you open to world 0.0.0.0/0, So check the info from the link you have posted. I assume someone is trying to ssh into your server with random ports

Specifying source IP addresses

By default, firewall rules allow all IP addresses to connect to your instance through the specified protocol and port. This is ideal for traffic such as web browsers over HTTP and HTTPS. However, this poses a security risk for traffic such as SSH and RDP, since you would not want to allow all IP addresses to be able to connect to your instance using those applications. For that reason, you can choose to restrict a firewall rule to an IPv4 or IPv6 address or range of IP addresses.

For the IPv4 firewall - You can specify a single IPv4 address (for example, 203.0.113.1), or a range of IPv4 addresses. In the Lightsail console, the range can be specified using a dash (for example, 192.0.2.0-192.0.2.255) or in CIDR block notation (for example, 192.0.2.0/24). For more information about CIDR block notation, see Classless Inter-Domain Routing on Wikipedia.

For the IPv6 firewall - You can specify a single IPv6 address (for example, 2001:0db8:85a3:0000:0000:8a2e:0370:7334), or a range of IPv6 addresses. In the Lightsail console, the IPv6 range can be specified using only CIDR block notation (for example, 2001:db8::/32). For more information about IPv6 CIDR block notation, see IPv6 CIDR blocks on Wikipedia.

profile picture
전문가
답변함 2년 전
  • Agreed to some minor extent, however the problem is that ports which are not listed are being allowed to connect to the instance..

  • Mar 6 12:41:40 ip-172-xx-x-xx sshd[8716]: Invalid user hanif from 188.166.225.37 port 39174 Mar 6 12:41:40 ip-172-xx-x-xx sshd[8716]: Received disconnect from 188.166.225.37 port 39174 so here we see port 39174 tried to connect... That port range is not from what I can see exposed as I have 21, 22, 80, and 28960-28965 listed. So what I am trying to determine is why is 39174 being allowed to connect to the machine ? And what steps would I take to prevent that from being allowed ?

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인