I created two websites and deployed them on a free-tier AWS EC2 instance, they have been runing normally since this March; however, it is not available to access today. Updates on 30th Sept.: This happens every two weeks or every month since the first time in this July. Issues I cannot visit my sites from my devices and other peoples', they response is timeout; I cannot connect to the ec2 instance via ssh with my own perm as usual, and it says: ssh: connect to host ec2-54-188-32-115.us-west-2.compute.amazonaws.com port 22: Connection timed out The EC2 IP address is not pingable. Troubleshooting So I opened the EC2 web console and found that my instance is running, but there is a yellow warning sign from the dashboard as only "1/2 checks passed" of the Status Check. The Status Checks failed at the second stage: Instance reachability check failed, and it failed 13 hours ago. The help info suggests a reboot to recover or create a new instance. The latter suggestion is a obviously awful solution as I will lost all the data and configuration. The AWS kownledge center list many reasons or solutions for this issue, and I don't want to read that much before I've tried some easist way. First try: reboot. I reboot it from the console twice, however, the instance cannot be recovered, and the yellow warning still exists. Second try(Fix): Stop and start separately. This is not listed from their suggestion. I certainly don't want to create a new instance. So I stopped the instance from the console, and…

闲来无事，看了下访问本主机的日志信息，结果不看不知道，一看虽没吓一跳，但至少没让我意外。好家伙，这么多记录，先来看看他们的行为： #cat /var/log/secure | grep Failed |wc -l 3393 一共发现接近3400条登陆失败的记录！！不到一天时间，不少了吧？ #cat /var/log/secure | head -n 100 | grep Failed Mar 12 04:22:46 sshd[21607]: Failed password for invalid user 1 from 212.15.99.53 port 45244 ssh2 Mar 12 04:26:06 sshd[21637]: Failed password for invalid user 2 from 212.15.99.53 port 41958 ssh2 Mar 12 04:29:23 sshd[21659]: Failed password for invalid user 3 from 212.15.99.53 port 38680 ssh2 Mar 12 04:32:35 sshd[21685]: Failed password for invalid user teamspeak from 212.15.99.53 port 35402 ssh2 Mar 12 04:35:50 sshd[21713]: Failed password for invalid user teamspeak from 212.15.99.53 port 60350 ssh2 Mar 12 04:39:10 sshd[21739]: Failed password for invalid user teamspeak from 212.15.99.53 port 57078 ssh2 Mar 12 04:42:37 sshd[21774]: Failed password for invalid user teamspeak from 212.15.99.53 port 53790 ssh2 Mar 12 04:43:34 sshd[21788]: Failed password for root from 5.188.203.113 port 7002 ssh2 Mar 12 04:43:39 sshd[21791]: Failed password for invalid user mcserver from 5.101.0.51 port 57443 ssh2 Mar 12 04:45:59 sshd[21809]: Failed password for invalid user teamspeak from 212.15.99.53 port 50510 ssh2 …… 212.15.99.53这个家伙从今天凌晨三点开始，几乎没有间断过采取不同的用户名和密码尝试登陆我的主机。 从日志记录信息不难看出，所有尝试登陆Failed记录的最后三个字串是port 端口号 ssh2这个形式，利用这个特性非常方便提取入侵者的IP。通过强大的awk命令即可列出所有入侵者登陆失败的IP地址： #cat /var/log/secure|awk '/Failed/{print $(NF-3)}' 将提取出来的IP结合sort命令进行排序，就可将同一IP的尝试记录排列放在一起。输出放至ip1.tmp文件中： #cat /var/log/secure|awk '/Failed/{print $(NF-3)}'|sort > ip1.tmp 结合uniq -c命令的重行计数功能，删除ip1.tmp文件中接连相同的重复行。我用awk将其格式化成IP tried times: count的形式输出至ip2.tmp文件中： #cat ip1.tmp | uniq -c|awk '{print $2 "\t" "tried times: "$1;}' > ip2.tmp 再用sort做一次按照入侵失败次数从多到少的排序，排序结果输出至hacker.iplist文件之中： #sort -nrk 2 -t: ip2.tmp > hacker.iplist 删除两个临时文件： #rm -f *.tmp 现在看一下hacker.iplist文件中统计出来的ssh非法访问数据： 数据1：有多少IP尝试通过ssh非法登陆本机，但失败了？数据是：70个 #cat hacker.iplist | wc -l 70 数据2：尝试次数top 10。 114.32.120.181这个IP尝试了1400多次！！ #head hacker.iplist 114.32.120.181 tried times: 1462 218.65.30.53 tried times: 840 145.249.106.78 tried times: 424 5.135.167.146 tried times: 308 212.15.99.53 tried times: 49 173.249.15.111 tried times: 45 103.99.0.205 tried times: 30 5.188.10.156 tried times: 24 188.166.218.235 tried…