Rubik
Intern
Intern
  • UID8266
  • Fans0
  • Follows0
  • Posts3
Reads:6411Replies:4

Unidentified SSH connections

Created#
More Posted time:Nov 30, 2019 18:43 PM
Hello,


I recently signed up for a Linux ECS a couple of weeks ago. I have now noticed by issuing "netstat atp | grep ss" to see active ssh connections with ip, I can see ssh connections from unauthorized ip's. This has raise a serious security concern for me. I have changed my default login/password and am using pub key authentication from the beginning. I notice these ssh connections multiple times a day ! I started blacklisting the the IP's but it changed it's IP and continue to login. I have done a whoisIP to see where they are from and it's originating from China.


Are these truely authorized access/hacked ?

Latest likes:

wedhuswedhus

anishkhatri10
Intern
Intern
  • UID8346
  • Fans1
  • Follows1
  • Posts2
1st Reply#
Posted time:Nov 30, 2019 20:09 PM

afzaalvirgoboy
Assistant Engineer
Assistant Engineer
  • UID6091
  • Fans0
  • Follows0
  • Posts41
2nd Reply#
Posted time:Dec 2, 2019 13:46 PM
Hi Rubik,

> I have now noticed by issuing "netstat atp | grep ss" to see active ssh connections with ip, I can see ssh connections from unauthorized ip's.

Is it possible for you to put this VM behind a virtual network, and not on the public internet? That way, you will prevent any access to the VM from outside the virtual network. You can create a VPN and connect to your cloud resources securely.
https://www.alibabacloud.com/product/vpc

>  I started blacklisting the the IP's but it changed it's IP and continue to login. I have done a whoisIP to see where they are from and it's originating from China.


I am not sure if these are internal cloud agents (software programs) that help monitor the VM health and status on the platform. But I would highly recommend reaching out to Alibaba Cloud's team and check with them on this issue. Also share the IP addresses, as they would know which of the IP addresses are owned by Alibaba Cloud.

Rubik
Intern
Intern
  • UID8266
  • Fans0
  • Follows0
  • Posts3
3rd Reply#
Posted time:Dec 2, 2019 14:56 PM
Thanks for your reponse. I have already contacted alibaba support and they can neither confirm nor deny it is them or their service. They just asked me to block the IP's if required, which i have done. The behaviour is very suspecious, as soon as I started blocking IP's, a new IP is used to login . This has continue for the past couple of days. ALL ip's was trace to originate from China location. I was thinking of only allowing my subnet to login, however , the standard SSH port 22 cannot be modified from the console panel and is greyed out.


When a new machine is created on Alibaba, it is possibie is that someone else knows the default password ?

CyberDaeng
Intern
Intern
  • UID8384
  • Fans0
  • Follows0
  • Posts8
4Floor#
Posted time:Dec 5, 2019 0:12 AM
Not as I know... When you create ECS Instance in the Console, the password you create is only known by you. And if you use SSH Key that even more secure.

When you performing 'netstat atp | grep ss' is that right after ECS deployment? Because there are many reason of that. One of it CloudAgent, and the other is might be access from another server you cluster with each other.
Guest