• Subscribe to the low volume list for updates.

Amazon Cloud Service Brute Force

OSSEC is an excellent open source host based intrusion detection system. Works on Windows and Linux and detects security anomalies within the system. Such as brute force ssh attacks from the Amazon Cloud.

It seems that like any web hosting service the Amazon Clould Web Services are open to exploitation. Of course in this post I am not saying that amazon is attacking or even the owner of this slice of the cloud is attacking me, they likely have had their slice compromised and it is now being used to launch those pesky ssh brute force attacks that fill up all our logs.

This popped into my inbox today from one of my ossec sensors:

OSSEC HIDS Notification.
2009 Jun 17 15:53:48

Received From: htarget02->/var/log/auth.log
Rule: 5551 fired (level 10) -> "Multiple failed logins in a small period of time."
Portion of the log(s):

Jun 17 15:53:47 htarget02 sshd[10047]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ec2-67-202-57-35.compute-1.amazonaws.com  user=root
Jun 17 15:53:44 htarget02 sshd[10045]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ec2-67-202-57-35.compute-1.amazonaws.com  user=root
Jun 17 15:53:42 htarget02 sshd[10043]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ec2-67-202-57-35.compute-1.amazonaws.com  user=root
Jun 17 15:53:39 htarget02 sshd[10041]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ec2-67-202-57-35.compute-1.amazonaws.com  user=root
Jun 17 15:53:37 htarget02 sshd[10039]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ec2-67-202-57-35.compute-1.amazonaws.com  user=root
Jun 17 15:53:35 htarget02 sshd[10037]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ec2-67-202-57-35.compute-1.amazonaws.com  user=root
Jun 17 15:53:32 htarget02 sshd[10035]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ec2-67-202-57-35.compute-1.amazonaws.com  user=root

Here is a good article on securing your AWS instance including improving your sshd security.