Cloud infrastructures are primarily dominated by Linux-based machines, owing to advantages such as lower costs, reliability, and flexibility. Being open source, Linux systems are widely considered to be the most secure. However, they are not immune to attacks by hackers. One of the most prevalent methods of attacking Linux machines is through SSH channels. In this blog, we'll explore SSH attacks on Linux machines and show you how to spot and stop them.

How AWS uses SSH

Secure Shell (SSH) is an encryption-based network protocol that operates on port number 22 by default. This protocol establishes remote access connection between two machines after authenticating with a password or a public-private key pair and sends encrypted data across the channel to ensure security.

The shared security model proposed by Amazon Web Services (AWS) allows you to secure remote access to the hosted Linux instances through SSH. When an EC2 instance is launched, you'll be given the option to assign a key pair. AWS uses the user name along with a PEM file associated with the key pair to authenticate with the server and opens an SSH session.

Attacking SSH of AWS Linux machines

Leaving SSH services exposed is a common misconfiguration that increases the vulnerability of Linux systems. Brute-forcing SSH channels is a popular way of gaining access to the cloud. Attackers deploy bots known as bruteforcers to carry out these attacks. An experiment revealed that an AWS EC2 instance with exposed SSH services is likely to be attacked by the first bruteforcer bot in less than 10 hours of being deployed.

Apart from brute forcing, attackers can gather SSH keys and credentials from source control, public repositories, or open buckets. They can also steal them from machines compromised in parallel or unrelated campaigns, or even purchase them on remote access markets where they are sold as a service.

What happens after the compromise?

Once they've compromised the SSH service, attackers have endless possibilities. They can infect Linux hosts with cryptominers, replace legitimate executables with malicious ones, execute data breaches, and more.

To cover up their tracks, they can disable audit functions of the OS. They may also establish persistence by creating backdoors. One way is to insert an attacker-owned SSH public key to the authorized keys file on the server to ensure remote connection to the server without being noticed. Attackers can also initiate lateral movements with worm-like botnets to maneuver through the cloud and even eventually move to on-premises IT environments as well.

How to spot and stop these attacks

Collecting logs from your AWS environment is a good place to start. In brute-force attacks, the bruteforcer tries multiple passwords on a trial-and-error basis in an attempt to log in to your machine. As a result, the machine logs multiple failed logon events.

If any of your Linux EC2 instances are logging multiple failed logons in an unusually short period, it's a sure sign of a brute-force attack. Once a brute force attack is identified, you can note the IP address of the attacker and block it.

Logs help in thoroughly tracking and analyzing incidents in the network. Real-time monitoring of logs combined with behavior analytics can help you detect network intruders who use stolen credentials.

Wrapping up

To reduce the risk of SSH attacks, ensure none of your SSH services on your Linux hosts are exposed. Adding an extra layer of security such as two factor authentication also makes your Linux hosts less susceptible to brute-force attacks.

Deploying a security information and event management (SIEM) solution that supports analysis of events happening on cloud platforms can help you spot and mitigate SSH attacks on Linux AWS. SIEM solutions collect logs, analyze them, identify suspicious events in your network, and alert you about them in real time. You can also set up automated incident workflows that greatly reduce the incident response time.

ManageEngine Log360 is a comprehensive, easy-to-use SIEM and threat mitigation solution that supports both on-premises and cloud platforms such as Amazon Web Services, Google Cloud Platform, Salesforce, and Microsoft Azure along with on-premises security monitoring. The solution can spot threats and anomalous user behavior, detect internal attacks, identify malicious traffic connections, and more with its real-time correlation engine and machine-learning-based behavioral analytics add-on. Learn more about Log360 today.

Get the latest content delivered
right to your inbox!

Thank you for subscribing.

You will receive regular updates on the latest news on cybersecurity.

  • Please enter a business email id
    By clicking on Keep me Updated you agree to processing of personal data according to the Privacy Policy.

Expert Talks


© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.