-1

我启动了一个 linux 实例并执行了以下操作。

  1. 只有 22、80 和 8080 端口作为入站规则向“任何地方”开放
  2. 只有 git、ruby、ruby-dev、apache 和 youtrack 仅从其原始来源或使用“yum install”命令安装。
  3. 允许对连接进行 SSH 密码身份验证。
  4. 我创建了一些用户。

但是,我们收到了以下邮件。

Dear Amazon EC2 Customer,

We've received a report that your instance(s):

Instance Id: i-******
IP Address: 52.33.***.***



has been making illegal intrusion attempts against remote hosts on the Internet; check the information provided below by the abuse reporter.

Host Intrusion is specifically forbidden in our User Agreement: http://aws.amazon.com/agreement/

Please immediately restrict the flow of traffic from your instances(s) to cease disruption to other networks and reply this email to send your reply of action to the original abuse reporter. This will activate a flag in our ticketing system, letting us know that you have acknowledged receipt of this email.

It's possible that your environment has been compromised by an external attacker. It remains your responsibility to ensure that your instances and all applications are secured. The link http://developer.amazonwebservices.com/connect/entry.jspa?externalID=1233
provides some suggestions for securing your instances.

Case number: ************-1

Additional abuse report information provided by original abuse reporter:
* Destination IPs: 
* Destination Ports: 
* Destination URLs: 
* Abuse Time: Fri Nov 13 13:28:00 UTC 2015
* Log Extract: 
<<<
2015-11-13 05:28:10.279 52.33.***.*** 40806 ***.***.193.0 22 ....S. 6 3 
2015-11-13 05:28:17.495 52.33.***.*** 40806 ***.***.193.0 22 ....S. 6 1 
2015-11-13 05:28:20.018 52.33.***.*** 49968 ***.***.193.1 22 ....S. 6 3 
2015-11-13 05:28:27.378 52.33.***.*** 49968 ***.***.193.1 22 ....S. 6 1 
2015-11-13 05:28:29.998 52.33.***.*** 36185 ***.***.193.2 22 ....S. 6 1 
2015-11-13 05:28:30.999 52.33.***.*** 36185 ***.***.193.2 22 ....S. 6 1 
2015-11-13 05:28:32.999 52.33.***.*** 36185 ***.***.193.2 22 ....S. 6 1 
2015-11-13 05:28:36.999 52.33.***.*** 36185 ***.***.193.2 22 ....S. 6 1 
2015-11-13 05:28:40.246 52.33.***.*** 59503 ***.***.193.3 22 ....S. 6 2 
2015-11-13 05:28:43.471 52.33.***.*** 59503 ***.***.193.3 22 ....S. 6 1 
2015-11-13 05:28:47.517 52.33.***.*** 59503 ***.***.193.3 22 ....S. 6 1 
2015-11-13 05:28:50.070 52.33.***.*** 48731 ***.***.193.4 22 ....S. 6 3 
2015-11-13 05:28:57.589 52.33.***.*** 48731 ***.***.193.4 22 ....S. 6 1 
2015-11-13 05:28:59.967 52.33.***.*** 58537 ***.***.193.5 22 .A.RS. 6 3 
2015-11-13 05:28:59.921 52.33.***.*** 58647 ***.***.193.5 22 .APRS. 6 12 
2015-11-13 05:29:01.999 52.33.***.*** 58647 ***.***.193.5 22 ...R.. 6 1 
2015-11-13 05:29:01.968 52.33.***.*** 59568 ***.***.193.5 22 .APRS. 6 12 
2015-11-13 05:29:03.970 52.33.***.*** 59568 ***.***.193.5 22 ...R.. 6 1 
2015-11-13 05:29:04.007 52.33.***.*** 60527 ***.***.193.5 22 .APRS. 6 12 
2015-11-13 05:29:05.999 52.33.***.*** 60527 ***.***.193.5 22 ...R.. 6 1

  1. 将端口限制为特定 IP 地址不是我们的选择。

  2. 如何查看 SSH 端口 22 上的流量日志?

    你有什么建议?我应该怎么办?

由于它是新主机,并且我的 PC 上没有恶意软件,我不相信它已被入侵/被黑客入侵?

有人怎么能破解我的服务器?这可能是错误发送的滥用报告吗?

谢谢你,

4

1 回答 1

5

您的实例可能已包含在内。由于打开实例进行密码身份验证,或者安装存在安全问题的应用程序,导致攻击者可以在您的实例上安装恶意软件。

一个新实例实际上很快就会受到损害。一直有人在扫描 IP 地址以查找漏洞。

为了保证 SSH 的安全,您应该只使用密钥身份验证,如果可能的话,对某些 IP 地址进行白名单访问。

于 2015-11-15T17:17:31.523 回答