Server issues due to unclear activity

0

On the 3rd of August 2024 at 16:35 UTC our server 51.112.143.93 was blocked, as a result of which it became impossible to access it via ssh. We would like to clarify the situation, what specific requests led to the blocking. During the analysis of the situation, we also found out that the server is subject to periodic DDOS attacks. At the moment, we have enabled blocking of excessive activity. To summarize, we ask for the reasons for blocking the server and recommendations on how to prevent similar situations in the future.

1 Answer
1

This is a public community forum, so most of us don't work for AWS and only know what you tell us about your environment. In general terms, if AWS suspended some of your resources, they probably sent an email to your root and security contact email addresses notifying you about the specifics.

From what you told us, did you perhaps have inbound SSH access permitted from the whole internet? If so, even with a fully patched operating system, it would take nothing more than guessing a username and password for anyone to gain access. If that's what happened, they could've taken any malicious or suspicious actions they liked on your EC2 instance. They might have hit one of AWS's honeypots or a victim who might have raised an abuse complaint against you. I would think the email you should've received from AWS would say something about what triggered the response.

For connecting to your EC2 instance over SSH, you should primarily use AWS SSM Session Manager (https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html) or EC2 Instance Connect (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connect-linux-inst-eic.html). Both options only allow SSH access to your EC2 instance for authenticated users through AWS's trusted services, without exposing your instance to the whole world. If your server got compromised simply by the exposed SSH port, the incident would almost certainly have been avoided if you'd been using these AWS services.

As a quick workaround, you could also permit the security group of your instance to allow SSH access only from your own public IP address(es) instead of from the entire internet. That's more effort to maintain, but it's also very effective at keeping general bad actors at an arm's length.

Did you have any other services exposed to the internet from your instance, such as an Nginx web server or MySQL database? Particularly if they're unpatched, configured insecurely, or running vulnerable custom code (like in PHP code on a website), they or most other applications could also leave your system easily exploitable by outsiders.

EXPERT
Leo K
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions