How do I use GuardDuty to identify SSH brute force attacks on Linux instances?
Last updated: 2022-11-26
My Amazon Elastic Compute Cloud (Amazon EC2) Linux instances are under an SSH brute force attack. How can I use Amazon GuardDuty to block these attacks?
Attacks can occur because a rule with Type SSH allows connections from all sources (0.0.0.0/0) over Port Range 22. Allowing 0.0.0.0/0 over Port Range 22 introduces a security risk.
Typically these attacks come from bots that are looking for targets to intrude EC2 instances. You can mitigate the risk of intrusion by restricting SSH access. It's a best practice to configure security groups to allow SSH access only from specific sources that you own, such as from bastion hosts.
You can use GuardDuty to monitor and detect suspicious behavior in your AWS environment. The following example uses GuardDuty to troubleshoot an EC2 instance under an SSH brute force attack. In this example, the security group allows SSH access from sources over the internet.
- Open the EC2 console.
- Open the GuardDuty console in a new tab.
- From the EC2 console, choose Security Groups, choose a security group, and then choose the Inbound tab.
- In the navigation pane, choose Instances, and then open the instances pane in a new tab.
- Select your instance, and then copy the Instance ID.
- From the GuardDuty console, choose Add filter criteria, and then choose Instance ID.
- Paste the Instance ID into the search box, and then choose Apply.
- In Finding Type, choose the most recent findings as noted in the Last seen column.
- Scroll to the Actor section, and then copy the source IP address of the attack.
- Open the terminal on the EC2 Linux instance, open the /var/log/secure directory, and then open the secure file.
Note: The secure file contains the SSH login.
- Enter the source IP address from step 9.
Note: Amazon Linux AMI SSH logs contain all the authentication attempts to connect to the instance.
- Open the AWS Config console, choose Rules, choose Add rule, and then enter restricted in the search box.
- Choose restricted-ssh, and then choose Save.
Note: The restricted-ssh rule checks for security groups that disallow unrestricted incoming SSH traffic.
- In Rule name under the Compliance field, wait for the restricted-ssh rule to change from Evaluating to noncompliant resource(s). You can also choose the refresh icon.
- Choose restricted-ssh to view the non-compliant security groups.
- In Manage resource, choose a non-compliant security group, and then choose the Inbound tab.
In this example, the security group is non-compliant because it allows SSH connections from all sources. To restrict SSH traffic, see Add a rule for inbound SSH traffic to a Linux instance.
For more information, see Remediating a compromised EC2 instance.
Note: To review the Linux logs using Amazon CloudWatch, follow these instructions Quick start: install and configure the CloudWatch logs agent on a running EC2 Linux instance.