Guardduty alerts for recon - false positive?

0

I received an alert last week from Guardduty saying that "An EC2 instance has an unprotected port which is being probed by a known malicious host." We have double and triple checked security groups- by myself and 2 other AWS admins. We have tried to access the supposed exposed port directly and tried port scans on the public IP from multiple hosts- all report the port is closed and AWS security group controls are working perfectly. How can I determine WHY Guardduty alerted on this port probe because ALL indicators are that my EC2 instance is locked tight. I find ZERO evidence this port is exposed.

3 Answers
0
Accepted Answer

Talked to one of the developers- they were doing some testing and the security groups i saw when reviewing the alert were different than the security groups at the time the alert occurred.

Anthony
answered 2 days ago
0

Hello,

Refer this documentation on how to remediate the finding Recon:EC2/PortProbeUnprotectedPort, https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portprobeunprotectedport_description

https://repost.aws/knowledge-center/resolve-guardduty-unprotectedport-alerts

You can ignore the finding if you're sure that the EC2 instance is secure.

profile picture
EXPERT
answered 4 days ago
0

I'm reasonably sure that GuardDuty is correct in reporting the finding. It simply inspects your VPC flow logs and looks for repeated connections to ports other than ordinarily needed ones (like tcp/443) and reports if it observes matching traffic passing through. There must be a security group that's permitting the traffic flow the GuardDuty finding is showing.

Does your EC2 instance perhaps have multiple network interfaces? Security groups are attached separately to each ENI, despite a single set of them appearing in the instance properties, so one interface could have a security group attached that permits traffic while another interface wouldn't.

Or, could traffic be entering through a Network Load Balancer (NLB), and instead of the attacker's public IP address being permitted in the security group rules of your EC2 instance, the NLB's security group would allow it, and the security group of the EC2 instance would allow traffic from the NLB's security group?

EXPERT
Leo K
answered 4 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions