The Story

I have been seeing some hackers out there trying to hack into my AWS instance.
Fortunately, AWS did a very good job on securing your EC2 instance.
To access your instance you need to use the private key(.pem) associated with your instance.
So the only thing you need is to make sure you haven’t left any backdoors to the hackers out there.
(In my case, I have apache/vsftp setup so I should check my user list to see if they have authorization on shell.)

Still, having read so much logs is somehow pretty annoying. (And these logs takes disk space!) So I decide to keep those kids out of my server.
To do this, we use iptables that comes with Ubuntu by default.

iptables reference

https://help.ubuntu.com/community/IptablesHowTo

Step 1: Check you current iptables setting

For my case nothing has been setup yet.
Use:
sudo iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Step 2: Slow down SSH brute force by setting retry limit

We limit the number of requests over port 22 to 3 times per minute.
Drop excessive request

sudo iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
sudo iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent  --update --seconds 60 --hitcount 3 -j DROP

Step 3: Check your user setting to make sure only secured user can login

Step 4: It’s done!

Snippet of auth.log under my /var/log:

  216 Jan  3 11:37:36 ip-172-31-29-16 sshd[4555]: Received disconnect from 117.79.130.206: 11: Bye Bye [preauth]
  217 Jan  3 11:37:37 ip-172-31-29-16 sshd[4557]: Invalid user greg from 117.79.130.206
  218 Jan  3 11:37:37 ip-172-31-29-16 sshd[4557]: input_userauth_request: invalid user greg [preauth]
  219 Jan  3 11:37:38 ip-172-31-29-16 sshd[4557]: Received disconnect from 117.79.130.206: 11: Bye Bye [preauth]
  220 Jan  3 11:37:39 ip-172-31-29-16 sshd[4559]: Invalid user vpsadmin from 117.79.130.206
  221 Jan  3 11:37:39 ip-172-31-29-16 sshd[4559]: input_userauth_request: invalid user vpsadmin [preauth]
  222 Jan  3 11:37:39 ip-172-31-29-16 sshd[4559]: Received disconnect from 117.79.130.206: 11: Bye Bye [preauth]
  223 Jan  3 11:37:40 ip-172-31-29-16 sshd[4561]: Received disconnect from 117.79.130.206: 11: Bye Bye [preauth]
  224 Jan  3 11:37:42 ip-172-31-29-16 sshd[4563]: Invalid user bash from 117.79.130.206
  225 Jan  3 11:37:42 ip-172-31-29-16 sshd[4563]: input_userauth_request: invalid user bash [preauth]
  226 Jan  3 11:37:42 ip-172-31-29-16 sshd[4563]: Received disconnect from 117.79.130.206: 11: Bye Bye [preauth]
  233 Jan  3 11:37:46 ip-172-31-29-16 sshd[4569]: Invalid user zabbix from 117.79.130.206
  234 Jan  3 11:37:46 ip-172-31-29-16 sshd[4569]: input_userauth_request: invalid user zabbix [preauth]
  235 Jan  3 11:37:47 ip-172-31-29-16 sshd[4569]: Received disconnect from 117.79.130.206: 11: Bye Bye [preauth]
  239 Jan  3 11:37:49 ip-172-31-29-16 sshd[4573]: Invalid user sercon from 117.79.130.206
  240 Jan  3 11:37:49 ip-172-31-29-16 sshd[4573]: input_userauth_request: invalid user sercon [preauth]
  241 Jan  3 11:37:49 ip-172-31-29-16 sshd[4573]: Received disconnect from 117.79.130.206: 11: Bye Bye [preauth]
  242 Jan  3 11:37:51 ip-172-31-29-16 sshd[4575]: Invalid user patriciar from 117.79.130.206
  243 Jan  3 11:37:51 ip-172-31-29-16 sshd[4575]: input_userauth_request: invalid user patriciar [preauth]
  244 Jan  3 11:37:51 ip-172-31-29-16 sshd[4575]: Received disconnect from 117.79.130.206: 11: Bye Bye [preauth]
  245 Jan  3 11:37:52 ip-172-31-29-16 sshd[4577]: Invalid user anders from 117.79.130.206
  246 Jan  3 11:37:52 ip-172-31-29-16 sshd[4577]: input_userauth_request: invalid user anders [preauth]
  247 Jan  3 11:37:52 ip-172-31-29-16 sshd[4577]: Received disconnect from 117.79.130.206: 11: Bye Bye [preauth]
  248 Jan  3 11:37:53 ip-172-31-29-16 sshd[4579]: Invalid user felipe from 117.79.130.206
  249 Jan  3 11:37:53 ip-172-31-29-16 sshd[4579]: input_userauth_request: invalid user felipe [preauth]
  250 Jan  3 11:37:54 ip-172-31-29-16 sshd[4579]: Received disconnect from 117.79.130.206: 11: Bye Bye [preauth]
  251 Jan  3 11:37:55 ip-172-31-29-16 sshd[4581]: Invalid user coupon from 117.79.130.206
  252 Jan  3 11:37:55 ip-172-31-29-16 sshd[4581]: input_userauth_request: invalid user coupon [preauth]
  253 Jan  3 11:37:55 ip-172-31-29-16 sshd[4581]: Received disconnect from 117.79.130.206: 11: Bye Bye [preauth]
  257 Jan  3 11:37:58 ip-172-31-29-16 sshd[4585]: Invalid user etherpad from 117.79.130.206
  258 Jan  3 11:37:58 ip-172-31-29-16 sshd[4585]: input_userauth_request: invalid user etherpad [preauth]
  259 Jan  3 11:37:58 ip-172-31-29-16 sshd[4585]: Received disconnect from 117.79.130.206: 11: Bye Bye [preauth]
  260 Jan  3 11:37:59 ip-172-31-29-16 sshd[4587]: Invalid user links from 117.79.130.206
  261 Jan  3 11:37:59 ip-172-31-29-16 sshd[4587]: input_userauth_request: invalid user links [preauth]
  262 Jan  3 11:38:00 ip-172-31-29-16 sshd[4587]: Received disconnect from 117.79.130.206: 11: Bye Bye [preauth]
  263 Jan  3 11:38:01 ip-172-31-29-16 sshd[4589]: Invalid user tamas from 117.79.130.206