Amazon EC2 Port Scanning Troubleshoot

Earlier this week, I got email from Amazon EC2 Abuse Team that my instance is reported that it has been port scanning remote hosts on the Internet. Oh yeah, that’s why my instance is terribly slow a few days back. I immediately login to the instance using ssh. When I run “uptime“, load average is TOO high for my normal instance usage! Well, I googled about it. This article helps a lot to me. I resolved the issue and reply my email back to EC2 Abuse Team, detailing all my action taken. And they investigated and marked the issue as resolved in next day. :)
Here is the action I’d taken in case I forget them in future and need to ref back here.

1) ssh to my instance.
2) run lsof -i to list all my instance internet activities
3) Found lot of .sshdd activities to several IP addresses.
4) run “top” or “htop” and see .sshdd running.
5) Kill all these activities with kill -9
6) login to aws.amazon
7) edit my security group to restrict ssh inbound and allow only to my IP address.

My biggest mistake in here is that I allow ssh inbound to all IP address!(Which is not recommended by Amazon anyway and it was my carelessness). Now I have a mental note that I must not allow all IP address (0.0.0.0) to ssh inbound!!

Also read...

Leave a Reply