Mitigating Unknown IP Address Traffic to Port 22
Question
You have an instance setup in a test environment in AWS.
You installed the required application and promoted the server to a production environment.
Your IT Security team has advised that since yesterday there have been some traffic flowing in from an unknown IP address to port 22
Which of the following methods is the most suitable to mitigate the threat?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer is B.
Option A is incorrect because terminating a production instance is not a recommended best practice.
Option B is CORRECT because the security group inbound rule can be improved to block the SSH access from unknown IP addresses.
Option C is incorrect because AWS Shield is used for protecting against DDoS attacks.
It cannot block an IP address in port 22.
Option D is incorrect because this method will stop any SSH access including the normal SSH traffic.
For more information on authorizing access to an instance, please visit the below URL:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#security-group-connection-trackingIn this scenario, the IT Security team has alerted you that there has been traffic flowing from an unknown IP address to port 22. Since port 22 is commonly used for SSH access, it could potentially be a security threat. Let's discuss the options given and determine which is the most suitable to mitigate the threat.
A. Terminate the instance: Terminating the instance might be an option if it's a test environment. However, if it is a production environment, terminating the instance could result in significant downtime and potentially loss of data.
B. Modify the inbound rule of the security group to only allow known IP addresses: This option is the most suitable method to mitigate the threat in this scenario. You can modify the inbound rule of the security group associated with the instance to only allow traffic from known IP addresses. By doing this, you can prevent any unauthorized access to the instance via SSH.
C. Change the AWS Shield rule to block this IP address: AWS Shield is a managed DDoS protection service that is automatically enabled on all AWS resources. However, it is designed to protect against DDoS attacks, and it may not be suitable for this scenario. Furthermore, blocking an IP address using AWS Shield can take some time to propagate, and during that time, the instance remains vulnerable to the attack.
D. In the instance, stop the sshd process to prevent any unexpected SSH access: Stopping the sshd process on the instance would prevent any SSH access to the instance, including authorized access. This option is not suitable if the instance is in production and requires SSH access.
In conclusion, the most suitable method to mitigate the threat in this scenario is to modify the inbound rule of the security group associated with the instance to only allow traffic from known IP addresses.
