What steps should I take after GuardDuty detected an SSH brute force attack from my server?

By
Chris Evans
-
0
5
Asked By CuriousCoder92 On

I recently received an alert from GuardDuty about outgoing traffic that resembles an SSH brute force attack. This originated from one of my Windows Server 2022 instances, which is located in a private subnet with no public IP and has security group settings that only allow inbound ICMP and RDP traffic via our AWS VPN Client security group. Currently, all outbound traffic is permitted. The suspicious outgoing traffic came from random local ports (50242 and 60664), targeting specific Amazon public IPs (15.197.199.235 in Washington and 99.83.130.128 in Seattle) using SSH on port 22. I've already powered down the instance while investigating. After checking through events, services, and netstat, I couldn't find any obvious signs of compromise. I've tried looking up this issue online but couldn't find much information. I'm thinking of rebuilding the server for safety. Any ideas or recommendations on how to proceed?

4 Answers

Answered By DevNerd64 On

Honestly, this sounds like a classic question from a Security Specialty Certification exam! Most likely, something connected to your VPN is compromised and has affected your instance.

Answered By UnderTheRadar42 On

Looks like you found the source! It was a misconfigured internal SFTP interface. Remember, if no one can access it externally, the issue is usually internal. The AWS IPs were tied to a Global Accelerator for your File Transfer Server located in another account, which complicated things. We had a similar scare before, so it's always better to double-check!

Answered By SecuritySavvy33 On

It's important to think about the network on the other side of your VPN. It could be compromised or involved with malicious activity. Keep an eye on that part of your setup.

Answered By TechWhiz_47 On

First, isolate the instance immediately and consider restoring it from a known good backup. It's crucial to maintain isolation until you verify that all clients with access are clean. Review user permissions and actions, as there might be something malicious that moved laterally into your server and possibly persisted on your network. Also, make sure that endpoint protection is active on all devices, and do some offline scans for potential rootkits.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.