Search code examples
javaamazon-web-servicesamazon-ec2tomcat7

Your Amazon EC2 Abuse Report

I created amazon ec2 instance to run Tomcat application, but Amazon abuse team sent mail with the following log

<<<
AWS Account: ********
Report begin time: 14-12-2017 02:02:28 UTC
Report end time: 14-12-2017 02:03:28 UTC

Protocol: TCP
Remote IP: ...
Remote port(s): 80

Total bytes sent: 294167550
Total packets sent: 291255
Total bytes received: 0
Total packets received: 0

AWS Account: ********
Report begin time: 14-12-2017 02:03:15 UTC
Report end time: 14-12-2017 02:04:15 UTC

Protocol: TCP
Remote IP: ...
Remote port(s): 80

Total bytes sent: 1050081850
Total packets sent: 1039685
Total bytes received: 0
Total packets received: 0

Is it application issue or have I missed some security configuration?

We found one unknown executable application in /tmp as below, after killed this again came up after few seconds. Seems its generating unknown traffic, so we go ahead and powered off servers now.

[root@ip-172-19-24-90 tmp]# file Lixsyn
Lixsyn: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
[root@ip-172-19-24-90 tmp]#

raw   104832 426240 0.0.0.0:6                   0.0.0.0:*                   7           19719/Lixsyn
raw   104832 228096 0.0.0.0:6                   0.0.0.0:*                   7           19719/Lixsyn


root@ip-172-31-40-123 tmp]# ifconfig
eth0      Link encap:Ethernet  HWaddr ********
          inet addr:******** Bcast:172.31.47.255  Mask:255.255.240.0
          inet6 addr: ********/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:9001  Metric:1
          RX packets:1136962 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2081358186 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:860855089 (820.9 MiB)  TX bytes:2130697820190 (1.9 TiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:11338 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11338 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:21689998 (20.6 MiB)  TX bytes:21689998 (20.6 MiB)
Solution

  • AWS sends abuse reports when ec2 instances trigger unknown traffic to servers outside your account.

    This can be due to some unknown applications which got inside your ec2 instances due to publicly open ssh/rdp ports.

    What you can do here is

    1. Configure the security group of your ec2 instances to allow ssh access (port 22) with source ip as your own homr/office ip only
    2. Do a netstat command to find what all process ids are accessing the remote ip and port numbers mentioned in thw abuse reports
    3. Once you get the process ids, find all processes associated to it using ps -ef command and remove all the related paths
    4. Change all user credentials and disable ssh login without password.

    Answer to your second question on preventing attacks tomcat servers on ec2.

    1. Avoid exposing tomcat manager app on default url/path
    2. Use "name" property in server.xml to avoid exposing the. container name and version through http headers
    3. Better to put tomcat behind a web layer/proxy like nginx/haproxy to limit impact of bruteforce attacks
    4. Use very strong passwords for tomcat users.