AWS Linux: illegal intrusion attempts against remote hosts on the Internet. Prevention methods?

Question

I launched a linux instance and did the following.

1. Only 22, 80 and 8080 ports were opened to "everywhere" as inbound rule
2. Only git, ruby, ruby-dev, apache and youtrack was installed only from their original sources or using "yum install" command.
3. Allowed SSH password euthentication for connections.
4. I created some users.

However, we got the following mail.

Dear Amazon EC2 Customer,

We've received a report that your instance(s):

Instance Id: i-******
IP Address: 52.33.***.***



has been making illegal intrusion attempts against remote hosts on the Internet; check the information provided below by the abuse reporter.

Host Intrusion is specifically forbidden in our User Agreement: http://aws.amazon.com/agreement/

Please immediately restrict the flow of traffic from your instances(s) to cease disruption to other networks and reply this email to send your reply of action to the original abuse reporter. This will activate a flag in our ticketing system, letting us know that you have acknowledged receipt of this email.

It's possible that your environment has been compromised by an external attacker. It remains your responsibility to ensure that your instances and all applications are secured. The link http://developer.amazonwebservices.com/connect/entry.jspa?externalID=1233
provides some suggestions for securing your instances.

Case number: ************-1

Additional abuse report information provided by original abuse reporter:
* Destination IPs: 
* Destination Ports: 
* Destination URLs: 
* Abuse Time: Fri Nov 13 13:28:00 UTC 2015
* Log Extract: 
<<<
2015-11-13 05:28:10.279 52.33.***.*** 40806 ***.***.193.0 22 ....S. 6 3 
2015-11-13 05:28:17.495 52.33.***.*** 40806 ***.***.193.0 22 ....S. 6 1 
2015-11-13 05:28:20.018 52.33.***.*** 49968 ***.***.193.1 22 ....S. 6 3 
2015-11-13 05:28:27.378 52.33.***.*** 49968 ***.***.193.1 22 ....S. 6 1 
2015-11-13 05:28:29.998 52.33.***.*** 36185 ***.***.193.2 22 ....S. 6 1 
2015-11-13 05:28:30.999 52.33.***.*** 36185 ***.***.193.2 22 ....S. 6 1 
2015-11-13 05:28:32.999 52.33.***.*** 36185 ***.***.193.2 22 ....S. 6 1 
2015-11-13 05:28:36.999 52.33.***.*** 36185 ***.***.193.2 22 ....S. 6 1 
2015-11-13 05:28:40.246 52.33.***.*** 59503 ***.***.193.3 22 ....S. 6 2 
2015-11-13 05:28:43.471 52.33.***.*** 59503 ***.***.193.3 22 ....S. 6 1 
2015-11-13 05:28:47.517 52.33.***.*** 59503 ***.***.193.3 22 ....S. 6 1 
2015-11-13 05:28:50.070 52.33.***.*** 48731 ***.***.193.4 22 ....S. 6 3 
2015-11-13 05:28:57.589 52.33.***.*** 48731 ***.***.193.4 22 ....S. 6 1 
2015-11-13 05:28:59.967 52.33.***.*** 58537 ***.***.193.5 22 .A.RS. 6 3 
2015-11-13 05:28:59.921 52.33.***.*** 58647 ***.***.193.5 22 .APRS. 6 12 
2015-11-13 05:29:01.999 52.33.***.*** 58647 ***.***.193.5 22 ...R.. 6 1 
2015-11-13 05:29:01.968 52.33.***.*** 59568 ***.***.193.5 22 .APRS. 6 12 
2015-11-13 05:29:03.970 52.33.***.*** 59568 ***.***.193.5 22 ...R.. 6 1 
2015-11-13 05:29:04.007 52.33.***.*** 60527 ***.***.193.5 22 .APRS. 6 12 
2015-11-13 05:29:05.999 52.33.***.*** 60527 ***.***.193.5 22 ...R.. 6 1 

1. Restricting ports to specific IP addresses is not an option for us.

2. How can I check the traffic log on SSH port 22?

   What do you suggest? What should I do?

Since it was a fresh host and I don't have malwares on my PC, I don't believe it was compromised/hacked?

How would someone can hack my server? Can this be a mistakenly sent abuse report?

Thank You,

Answer 1

Your instance was probably comprised. Either due to opening the instance up for password authentication, or installing an application that had a security issue which allowed an attacker to install malware on your instance.

It really doesn't take long for a new instance to become compromised. There are people scanning IP addresses for vulnerabilities all the time.

To keep SSH secure, you should use key authentication only, an if possible, white-list access to certain IP addresses.