How are EXTERNAL entities gaining access to Lightsail Private IP's
I host a few ubuntu instances on lightsail. I have observed something which I cannot explain. This is not an isolated situation and expect that others would observe the same exposure of their Private Ip without benefit of the firewall rules assigned to the Lightsail Instance. Check your auth log ( ubuntu grep "preauth" /var/log/auth.log ) and see if you observe the same results... I think you will as all of my 10 or so instances show same !
Private Ip 172.xx.x.74
The ubuntu /var/log/auth.log shows external IP's attempting to brute force ssh on this PRIVATE ip.
The brute force ssh attempts are not coming from AWS.. The 1st example below is coming out of Suraj Network, INDIA.
Why / How are these bad actors having a connection to the private IP on the Lightsail instances ? PORT 49986 is not enabled through the lightsail network firewall, are there improper connections from Lightsail to outside ISP's ?
I have found other examples digital ocean, Huawei, Vietnam Posts and Telecommunications Group ?
IS THERE A LARGER PROBLEM THAT AMAZON SHOULD BE AWARE OF ?
Command:
grep "preauth" /var/log/auth.log
shows:
Mar 12 16:39:25 ip-172-xx-x-74 sshd[10046]: Received disconnect from 103.72.6.149 port 49986:11: Bye Bye [preauth]
Mar 12 16:39:25 ip-172-xx-x-74 sshd[10046]: Disconnected from invalid user applmgr 103.72.6.149 port 49986 [preauth]
Mar 12 16:39:43 ip-172-xx-x-74 sshd[10048]: Received disconnect from 106.246.226.66 port 45478:11: Bye Bye [preauth]
Mar 12 16:39:43 ip-172-xx-x-74 sshd[10048]: Disconnected from invalid user server 106.246.226.66 port 45478 [preauth]
Mar 12 16:39:45 ip-172-xx-x-74 sshd[10050]: Received disconnect from 171.244.39.233 port 52840:11: Bye Bye [preauth]
Mar 12 16:39:45 ip-172-xx-x-74 sshd[10050]: Disconnected from invalid user bXXXh 171.244.39.233 port 52840 [preauth]
Mar 12 16:39:52 ip-172-xx-x-74 sshd[10053]: Received disconnect from 148.66.132.190 port 52944:11: Bye Bye [preauth]
Mar 12 16:39:52 ip-172-xx-x-74 sshd[10053]: Disconnected from invalid user admin 148.66.132.190 port 52944 [preauth]
Mar 12 16:39:55 ip-172-xx-x-74 sshd[10055]: Received disconnect from 196.203.207.165 port 34038:11: Bye Bye [preauth]
Mar 12 16:39:55 ip-172-xx-x-74 sshd[10055]: Disconnected from invalid user testuser 196.203.207.165 port 34038 [preauth]
Mar 12 16:40:44 ip-172-xx-x-74 sshd[10062]: Received disconnect from 14.139.58.153 port 49158:11: Bye Bye [preauth]
Mar 12 16:40:44 ip-172-xx-x-74 sshd[10062]: Disconnected from invalid user julio 14.139.58.153 port 49158 [preauth]
Mar 12 16:41:02 ip-172-xx-x-74 sshd[10065]: Received disconnect from 103.72.6.149 port 39856:11: Bye Bye [preauth]
Mar 12 16:41:02 ip-172-xx-x-74 sshd[10065]: Disconnected from invalid user john 103.72.6.149 port 39856 [preauth]
Mar 12 16:42:39 ip-172-xx-x-74 sshd[10248]: Received disconnect from 14.139.58.153 port 50592:11: Bye Bye [preauth]
Mar 12 16:42:39 ip-172-xx-x-74 sshd[10248]: Disconnected from invalid user test01 14.139.58.153 port 50592 [preauth]
Mar 12 16:42:41 ip-172-xx-x-74 sshd[10250]: Received disconnect from 103.72.6.149 port 39386:11: Bye Bye [preauth]
Mar 12 16:42:41 ip-172-xx-x-74 sshd[10250]: Disconnected from invalid user user 103.72.6.149 port 39386 [preauth]
- Newest
- Most votes
- Most comments
I suspect you have left the ssh port available to the world. You should restrict it to the IP you will be managing it from. See https://lightsail.aws.amazon.com/ls/docs/en_us/articles/understanding-firewall-and-port-mappings-in-amazon-lightsail
Relevant content
- asked 2 years ago
AWS OFFICIALUpdated 3 months ago- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a month ago
When ssh server accepts TCP connections on port 22 (see https://man7.org/linux/man-pages/man2/accept.2.html) a new peer socket is created for each such connection with some random local port (e.g. 49986). All these random ports are NOT open to the world.