Why did I receive the GuardDuty finding type alert Recon:EC2/PortProbeUnprotectedPort for my Amazon EC2 instance?
Last updated: 2020-10-28
Amazon GuardDuty detected alerts for the Recon:EC2/PortProbeUnprotectedPort finding type for my Amazon Elastic Compute Cloud (Amazon EC2) instance.
The GuardDuty finding type Recon:EC2/PortProbeUnprotectedPort means that an Amazon EC2 instance has an unprotected port that is being probed by a known malicious host.
Use the following best practices to protect the unprotected port or remove inbound rules:
- Follow the instructions to view and analyze your GuardDuty findings.
- In the findings detail pane, note the port number.
- If the unprotected port is 22 for Linux, you can restrict access by following the instructions for authorizing inbound traffic for your Linux instances.
- If the unprotected port is 3389 for Windows, you can restrict access by following the instructions for authorizing inbound traffic for your Windows instances.
- If the unprotected port is 80 or 443 and you need to keep these ports open, you can put the EC2 instance behind a load balancer.
- If the port doesn't have any application running on it and doesn't need to be open, you can remove the inbound rule for the EC2 instance security group and iptables rules.
- If you don't need to protect the unprotected port, you can ignore the Recon:EC2/PortProbeUnprotectedPort finding type.