我启动了一个Linux实例,并执行了以下操作。
根据入站规则,仅向“所有位置”开放了22、80和8080端口
仅从原始来源或使用“ yum install”命令安装了git,ruby,ruby-dev,apache和youtrack。
允许建立SSH密码连接。
我创建了一些用户。
但是,我们收到了以下邮件。
Dear Amazon EC2 Customer,
We've received a report that your instance(s):
Instance Id: i-******
IP Address: 52.33.***.***
has been making illegal intrusion attempts against remote hosts on the Internet; check the information provided below by the abuse reporter.
Host Intrusion is specifically forbidden in our User Agreement: http://aws.amazon.com/agreement/
Please immediately restrict the flow of traffic from your instances(s) to cease disruption to other networks and reply this email to send your reply of action to the original abuse reporter. This will activate a flag in our ticketing system, letting us know that you have acknowledged receipt of this email.
It's possible that your environment has been compromised by an external attacker. It remains your responsibility to ensure that your instances and all applications are secured. The link http://developer.amazonwebservices.com/connect/entry.jspa?externalID=1233
provides some suggestions for securing your instances.
Case number: ************-1
Additional abuse report information provided by original abuse reporter:
* Destination IPs:
* Destination Ports:
* Destination URLs:
* Abuse Time: Fri Nov 13 13:28:00 UTC 2015
* Log Extract:
<<<
2015-11-13 05:28:10.279 52.33.***.*** 40806 ***.***.193.0 22 ....S. 6 3
2015-11-13 05:28:17.495 52.33.***.*** 40806 ***.***.193.0 22 ....S. 6 1
2015-11-13 05:28:20.018 52.33.***.*** 49968 ***.***.193.1 22 ....S. 6 3
2015-11-13 05:28:27.378 52.33.***.*** 49968 ***.***.193.1 22 ....S. 6 1
2015-11-13 05:28:29.998 52.33.***.*** 36185 ***.***.193.2 22 ....S. 6 1
2015-11-13 05:28:30.999 52.33.***.*** 36185 ***.***.193.2 22 ....S. 6 1
2015-11-13 05:28:32.999 52.33.***.*** 36185 ***.***.193.2 22 ....S. 6 1
2015-11-13 05:28:36.999 52.33.***.*** 36185 ***.***.193.2 22 ....S. 6 1
2015-11-13 05:28:40.246 52.33.***.*** 59503 ***.***.193.3 22 ....S. 6 2
2015-11-13 05:28:43.471 52.33.***.*** 59503 ***.***.193.3 22 ....S. 6 1
2015-11-13 05:28:47.517 52.33.***.*** 59503 ***.***.193.3 22 ....S. 6 1
2015-11-13 05:28:50.070 52.33.***.*** 48731 ***.***.193.4 22 ....S. 6 3
2015-11-13 05:28:57.589 52.33.***.*** 48731 ***.***.193.4 22 ....S. 6 1
2015-11-13 05:28:59.967 52.33.***.*** 58537 ***.***.193.5 22 .A.RS. 6 3
2015-11-13 05:28:59.921 52.33.***.*** 58647 ***.***.193.5 22 .APRS. 6 12
2015-11-13 05:29:01.999 52.33.***.*** 58647 ***.***.193.5 22 ...R.. 6 1
2015-11-13 05:29:01.968 52.33.***.*** 59568 ***.***.193.5 22 .APRS. 6 12
2015-11-13 05:29:03.970 52.33.***.*** 59568 ***.***.193.5 22 ...R.. 6 1
2015-11-13 05:29:04.007 52.33.***.*** 60527 ***.***.193.5 22 .APRS. 6 12
2015-11-13 05:29:05.999 52.33.***.*** 60527 ***.***.193.5 22 ...R.. 6 1
将端口限制为特定的IP地址不是我们的选择。
如何查看SSH端口22上的流量日志?
你有什么建议?我该怎么办?
由于它是一台崭新的主机,而且我的PC上没有恶意软件,因此我不认为它已遭到入侵/被黑客入侵了吗?
有人将如何入侵我的服务器?这可能是误发的滥用行为报告吗?
谢谢,
最佳答案
您的实例可能包括在内。由于打开实例进行密码身份验证,或者安装的应用程序存在安全问题,攻击者可以在您的实例上安装恶意软件。
确实并不需要很长时间就可以使新实例受到威胁。有人一直在扫描IP地址中的漏洞。
为了保持SSH的安全性,您应该仅使用密钥身份验证,如果可能的话,可以使用白名单访问某些IP地址。