I have gotten an Email from AWS that my instance has been used to attach other servers through SSh method. I just want to know how I can stop sshing other servers from my server so that these kinds of attacks can be blocked.
Hello Abuse-Team,
your Server/Customer with the IP: x.x.x.x (ec2-x-x-x-x.ap-south-1.compute.amazonaws.com) has attacked one of our servers/partners.
The attackers used the method/service: ssh on: Fri, 16 Dec 2022 13:52:36 +0100.
The time listed is from the server-time of the Blocklist-user who submitted the report.
The attack was reported to the Blocklist.de-System on: Fri, 16 Dec 2022 13:52:39 +0100
I tried blocking outbound rules to ssh but that sort of setting is not available in AWS as yet.
you need to edit the security group, which is attached to your ec2 instance,
check for inbound rules and edit rules related to port 22/TCP.
Related
Hi i have two AWS account i created 2 ec2 with Ubuntu 20.04 in each account.
In each account one machine is setup as Strongswan and another a private instance
I have completed all the configuration of tunnel security groups and AWS route table, note that I a have configure policy based vpn. Also security groups are completely open as of now, updated the source destination check on strong swan instance
Currently tunnel shows established and I am able to ping from one private instance ip in an AWS account to the private instance in the other account and vice versa,
I setup an niginx server hosting a page in one pvt instance, and from local network it returns a response when i do telnet ip 80, but when i telnet from the pvt ip in other AWS account i see no response.
Ufw is allowed on port 80
I used tcpdump and found that from src pvt ip to src strongswan getting the packets but for some reason it is not leaving the src strongswan
I don't see any packet being sent in ipsec statusall from this src strongswan (when i do ping i do see packet counter increment)
Not sure what am i missing, ping works but http traffic is not sent, please help
Ok finally figured it. It was UFW.
When I disabled ufw on strongswan instance, it allowed the TCP traffic.
How I figured:
I run tail -f /var/log/syslog on strongswan instance and triggered a telnet X.X.X.X 80 from my Private instance
I saw following UFW BLOCK log entries
[UFW BLOCK] IN=ens5 OUT=ens5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=Y.Y.Y.Y DST=X.X.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=54490 DF PROTO=TCP SPT=50814 DPT=80 WINDOW=62727 RES=0x00 SYN URGP=0
I am not sure why traffic was blocked even thou ufw allow 80 on ipv4 and ipv6 everywhere.
We were able to ssh to the EC2 instance using the connect details until today; when it stopped working and I get the below error:
root#DKERP:~# ssh -i "gindustries.pem" ubuntu#ec2-15-184-231-34.me-south-1.compute.amazonaws.com
ssh: connect to host ec2-15-184-231-34.me-south-1.compute.amazonaws.com port 22: Connection timed out
Also, the telnet to public IP & port 22 is not working
root#DKERP:~# telnet 15.184.231.34 22
Trying 15.184.231.34...
telnet: Unable to connect to remote host: Connection timed out
The session manager is also failing to connect with the below error:
We weren't able to connect to your instance. Common reasons for this include:
SSM Agent isn't installed on the instance. You can install the agent on both Windows instances and Linux instances.
The required IAM instance profile isn't attached to the instance. You can attach a profile using AWS Systems Manager Quick Setup.
Session Manager setup is incomplete. For more information, see Session Manager Prerequisites.
There are no firewalls in AWS configurations.
Overview:
Security Groups:
Instances:
Network Interface:
VPC:
Network ACLs:
The system logs are updated here: https://pastebin.com/RhAG5DzP
Kindly suggest.
The Connection timed out message normally indicates that there is no network connectivity.
In most cases, this is due to the Security Group.
The steps to check it are:
Select the instance in the Amazon EC2 management console
Go to the Security tab
Check the Inbound rules
To permit an SSH connection, there needs to be a rule that permits port 22 (SSH) and the source set to your IP address or from the whole Internet (0.0.0.0/0) -- preferably only your IP address so that everybody else will be blocked.
When launching an Amazon EC2 instance from the console, it will default to creating a new Security Group called launch-wizard. However, it is generally better to create your own Security Group with a useful name and only the rules you want. You can then re-use that Security Group in future for similar instances.
I'm trying to test an email validation service on AWS EC2 instance, where my program would query the SMTP server (Mail Transfer Agent on port 25). For testing purposes, I replicated the program using Telnet connection, which works fine on my local machine:
telnet gmail-smtp-in.l.google.com 25
Trying 66.102.1.27...
Connected to gmail-smtp-in.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP a20si12977453wrg.559 - gsmtp
HELO gmail.com
250 mx.google.com at your service
MAIL FROM:<testing#gmail.com>
250 2.1.0 OK a20si12977453wrg.559 - gsmtp
RCPT TO:<thisemailwillneverexist#gmail.com>
550-5.1.1 The email account that you tried to reach does not exist. Please try
550-5.1.1 double-checking the recipient's email address for typos or
550-5.1.1 unnecessary spaces. Learn more at
550 5.1.1 https://support.google.com/mail/?p=NoSuchUser a20si12977453wrg.559 - gsmtp
Telnet, however, doesn't work on EC2, as in the example below:
telnet gmail-smtp-in.l.google.com 25
Trying 74.125.133.26...
telnet: connect to address 74.125.133.26: Connection timed out
Trying 2a00:1450:400c:c08::1a...
telnet: connect to address 2a00:1450:400c:c08::1a: Network is unreachable
EC2 is running a linux instance and allows all outbound connection. My guess here is that AWS doesn't let you connect to SMTP server on port 25 to prevent spam, but I haven't seen the confirmation of that. Any suggestions how I could fix this? If AWS is too rigid, any alternative AWS-like services where I could migrate my project?
Thank you!
AWS blocks outbound traffic on port 25 by default for EC2 instances and Lambda functions (source: AWS support page).
You can place a request for removing restriction on port 25 for your EC2 instance following this link: https://aws-portal.amazon.com/gp/aws/html-forms-controller/contactus/ec2-email-limit-rdns-request. You have to be logged in your AWS account to be able to access this link.
I can't access my website suddenly hosted on AWS EC2. ping example.com gets the following result:
PING example.com
Pinging example.com [xx.xx.xx.xx] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
PS: the security group associated with my instance is as follows:
Ports Protocol Source launch-wizard-2
22 tcp 0.0.0.0/0 ✔
80 tcp 0.0.0.0/0 ✔
443 tcp 0.0.0.0/0 ✔
I can't connect to my instance using ssh as well (can't access log file). All what I can do is to check the EC2 dashboard aws.amazon.com. Everything looks fine.
In Status Checks,
System Status Checks System reachability check passed Instance
Status Checks Instance reachability check passed
Here is a screenshot.
How can I find out the reason?
PS: the last backup file downloaded to dropbox is backwpup_b9aba0_2015-07-12_03-03-25.tar.gz.
EDITT: Now it works. I guess that the issue is caused by the limitation of CPU credits (t2.micro) but I am not sure.
Just a guess, but your security group (firewall) may not allow ICMP requests? You will probably need to enable icmp traffic for the pings to succeed. The same goes for SSH. If port 22 is not open you won't be able to connect.
The reason is that I host an OSQA site under the same instance and dozens of spammers on OSQA keep posting poker-related questions, which consumes almost all CPU credits.
I have pureftp running on an AWS ec2 instance. I'm trying to get it to run in passive mode which I thought was working, however I'm finding it may not be working correctly. I'm receiving the following error in FileZilla
Status: Connected
Status: Retrieving directory listing...
Status: Server sent passive reply with unroutable address. Using server address instead.
Status: Directory listing of "/" successful
The odd part is some people are unable to log in while others are.
I have the following pureftp configuration
Port Range
#Port range for passive connections replies. - for firewalling.
PassivePortRange `50000 50100`
PASV IP
#Force an IP address in PASV/EPSV/SPSV replies. - for NAT.
#Symbolic host names are also accepted for gateways with dynamic IP
#addresses.
ForcePassiveIP `ftp.mydomain.com` "my cname record is mapped to my ec2 public dns"
When I view the local port range on the server, /proc/sys/net/ipv4/ip_local_port_range the following are open.
32768 61000
My ec2 security group has port 50000 - 50100 open
When I view my server logs I don't see much other than this every once in a while.
Feb 5 08:57:41 ip-172-11-42-52 dhclient[1062]: DHCPREQUEST on eth0 to 172.11.32.1 port 67 (xid=0x601547fd)
Feb 5 08:57:41 ip-172-11-42-52 dhclient[1062]: DHCPACK from 172.11.32.1 (xid=0x601547fd)
Feb 5 08:57:43 ip-172-11-42-52 dhclient[1062]: bound to 172.11.42.52 -- renewal in 1417 seconds.
Anybody have any idea where things might be going wrong?
Server sent passive reply with unroutable address. Using server address instead
This solved the error for me to get FTP working on AWS EC2 by adding the following lines to etc/vsftpd.conf
pasv_enable=YES
pasv_min_port=1024
pasv_max_port=1048
pasv_addr_resolve=YES
pasv_address=XX.XX.XX.XX
XX.XX.XX.XX is set to the elastic IP assigned as the public address for the instance.
Ports in range 1024-1048 and 20-21 created as Custom TCP inbound rules allowing connections from anywhere.
FTP server is running vsftpd on an Ubuntu EC2 accessed with Filezilla client.
So I believe I resolved this issue. It appears as if aws was dynamically changing ip addresses. When I was referencing ftp.domain.com for my passiveip the ip that it resolved to didn't match the initial ip tied to the cname record.
The solution was to assign a static elastic ip to my ec2 instance and set my passiveip in pureftp to my static elastic ip. Thus far it appears to have resolved my issue.
I found some solution you can try.
https://serverfault.com/questions/821025/vsftpd-passive-reply-with-0-0-0-0-address-even-with-correct-pasv-address
I solved it by disabling listen_ipv6 and enabling listen in the config.
listen_ipv6=NO
listen=YES
I got the solution by setting vsftpd.conf
listen=YES
listen_ipv6=NO
Reference here https://stackoverflow.com/a/54707769/1336561