Beruflich Dokumente
Kultur Dokumente
This blog post focuses on how to log and create alarms on invalid
Secure Shell (SSH) access attempts. Implementing live monitoring and
session recording facilitates the identification of unauthorized activity
and can help confirm that remote users access only those systems they
are authorized to use. With SSH log information in hand (such as invalid
access type, bad private keys, and remote IP addresses), you can take
proactive actions to protect your servers. For example, you can use an
AWS Lambda function to adjust your servers security rules when an
alarm is triggered that indicates an invalid SSH access attempt.
Architectural overview
Now that I have explained how the solution works, I will show how to
use AWS CloudFormation to create a stack with the desired solution
configuration. CloudFormation allows you to create a stack of resources
in your AWS account.
4. On the Options page, tag your instance, and click Next. Tags allow
you to assign metadata to AWS resources. For example, you can
tag a projects resources and then use the tag to manage, search
for, and filter resources. For more information about tagging, see
Tagging Your Amazon EC2 Resources.
After the stack is created successfully, you have two distinct application
servers running, each with a CloudWatch agent. These servers represent
a fleet of servers in your infrastructure. Choose the Outputs tab to see
more details about the resources, such as the public IP addresses of the
servers. You will need to use these IP addresses later in this post in
order to trigger log events and alarms.
Now, lets try to trigger an alarm by trying to SSH with an invalid user
name into one of the servers. Use the key pair you specified when
launching the stack and connect to one of the Linux instances from a
terminal window (replace the placeholder values in the following
command).
ssh -i <the-key-pair-you-specified-in-the-CloudFormati
on-template> ec2-user@<ec2 DNS or IP address>
Now, exit the session and try to sign in as bad-user, as shown in the
following command.
ssh -i <the-key-pair-you-specified-in-the-CloudFormati
on-template> bad-user@<ec2 DNS or IP address>
The following command is the same as the previous command, but with
the placeholder values replaced by actual values.
Because the alarm triggers after two or more unsuccessful SSH login
attempts with an invalid user name in 1 minute, run the preceding
command a few times. The servers log captures the bad SSH login
attempts, and after a minute, you should see InvalidUserAlarm in
the CloudWatch console, as shown in the following screenshot. Choose
Alarms to see more details. The alarm should disappear after another
minute if there are no more SSH login attempts.
You can also view the history of your alarms by choosing the History
tab. CloudWatch metrics are saved for 15 months.
You can produce this log line by modifying the pem file you are using (a
pem file holds your private key). In a terminal window, modify your
private key by copying and pasting the following lines in the same
directory where your key resides.
The SSH attempt should fail because you are using a bad private key.
Now, lets look at the servers ssh.log file from the CloudWatch Logs
console and analyze the error log messages. I need to understand the
log format in order to configure a new filter. To review the logs, choose
Logs in the navigation pane, and select the log group that was created
by CloudFormation (it starts with the name you specified when
launching the CloudFormation template).
In particular, notice the following line when you try to SSH with a bad
private key.
Lets add a metric filter to capture this line so that we can use this metric
later when we build an SSH Dashboard. Copy the following line to the
Filter events search box at the top of the console screen and press
Enter.
To create the metric filter, choose Logs in the navigation pane of the
CloudWatch console. Choose the log groups to which you want to apply
the new metric filter and then choose Create Metric Filter. Choose
Next.
Paste the filter pattern we used previously (the sixth word equals
Connection and the seventh word equals closed) in the Filter
Pattern box. Select the server you tried to sign in to with the bad private
key to Select Log Data to Test and click Test Pattern. You should see
the results that are shown in the following screenshot. When completed,
click Assign Metric.
Type SSH for the Metric Namespace and sshClosedConnection-
InvalidKeysFilter for Filter Name. Choose Create Filter to see
your new metric filter listed. You can use the newly created metric filter
to graph the metrics and set alarms. The alarms can be used to inform
your administrator via email of any event you specify. In addition, metrics
can be used to generate SNS notification to trigger an AWS Lambda
function in order to take proactive actions, such as blocking suspicious
IP addresses in a security group.
Choose Create Alarm next to Filter Name and follow the instructions to
create a CloudWatch alarm.
Back at the Metrics view, you should now have three SSH metric filters
under Custom Namespaces. Note that it can take a few minutes for the
number of SSH metrics to update from two to three.
After you have configured the metrics, you can display SSH metrics in a
graph. CloudWatch dashboards allow you to create reusable graphs of
AWS resources and custom metrics so that you can quickly monitor
your operational status and identify issues at a glance. Metrics data is
kept for a period of two weeks.
You can rename the graph and add static text to give the console more
context. To add a text widget, choose Widget and select text. Then edit
the widget with markdown language. Your dashboard may then look like
the following screenshot.
The consolidated metrics graph displays the number of SSH attempts
with bad private keys, invalid user names, and too many disconnects.
Conclusion
If you have comments about this post, submit them in the Comments
section below. If you have questions about the solution in this post, start
a new thread on the CloudWatch forum.
Assaf
https://aws.amazon.com/blogs/security/how-to-monitor-and-visualize-
failed-ssh-access-attempts-to-amazon-ec2-linux-instances/