2

I lost access to my instance which I host on AWS. Keypairing stopped to work. I detached a volume and attached it to a new instance and what I found in logs was a long list of

Nov  6 20:15:32 domU-12-31-39-01-7E-8A sshd[4925]: Invalid user cyrus from 210.193.52.113
Nov  6 20:15:32 domU-12-31-39-01-7E-8A sshd[4925]: input_userauth_request: invalid user cyrus [preauth]
Nov  6 20:15:33 domU-12-31-39-01-7E-8A sshd[4925]: Received disconnect from 210.193.52.113: 11: Bye Bye [preauth]

Where "cyrus" is changed by hundreds if not thousands of common names and items. What could this be? Brute force attack or something else malicious? I traced IP to Singapore, and I have no connection to Singapore.

May thought is that this was a DoS attack since I lost access and server seemed to stop working. Im not to versed on this, but ideas and solutions for this issue are welcome.

rodling
  • 121

1 Answers1

1

since you are on AWS, the easy way to prevent the internet from hitting sshd on your box is to deny tcp/22 in your instance secgroup, and add to the secgroup the few /32's that actually need to connect.

ec2-revoke [secgroup] -P tcp -p 22 -s 0.0.0.0/0
ec2-authorize [secgroup] -P tcp -p 22 -s [your-ip-addr]/32

(you can also do this thru aws gui, but its a pain)

as a second layer of security, you can do the same with iptables on host as mentioned in thread.

by doing either or both of these, tcp/22 wont be open to the internet, and your logs wont flood.

nandoP
  • 2,067