OSSEC is an excellent open source host based intrusion detection system. Works on Windows and Linux and detects security anomalies within the system. Such as brute force ssh attacks from the Amazon Cloud.
It seems that like any web hosting service the Amazon Cloud Web Services are open to exploitation. Of course, in this post, I am not saying that amazon is attacking, or even the owner of this slice of the cloud is attacking me, they likely have had their slice compromised and it is now being used to launch those pesky ssh brute force attacks that fill up all our logs.
This popped into my inbox today from one of my ossec sensors:
OSSEC HIDS Notification. 2009 Jun 17 15:53:48 Received From: htarget02->/var/log/auth.log Rule: 5551 fired (level 10) -> "Multiple failed logins in a small period of time." Portion of the log(s): Jun 17 15:53:47 htarget02 sshd[10047]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ec2-67-202-57-35.compute-1.amazonaws.com user=root Jun 17 15:53:44 htarget02 sshd[10045]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ec2-67-202-57-35.compute-1.amazonaws.com user=root Jun 17 15:53:42 htarget02 sshd[10043]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ec2-67-202-57-35.compute-1.amazonaws.com user=root Jun 17 15:53:39 htarget02 sshd[10041]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ec2-67-202-57-35.compute-1.amazonaws.com user=root Jun 17 15:53:37 htarget02 sshd[10039]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ec2-67-202-57-35.compute-1.amazonaws.com user=root Jun 17 15:53:35 htarget02 sshd[10037]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ec2-67-202-57-35.compute-1.amazonaws.com user=root Jun 17 15:53:32 htarget02 sshd[10035]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ec2-67-202-57-35.compute-1.amazonaws.com user=root
Here is a good article on securing your AWS instance including improving your sshd security.