2 Answers
Hi,
I agree with you, and I know others have stated the same. I understand that Ryan is doing it for convenience and that he terminates instances immediately after recording lectures. However, after going through VPC Flow Log demonstrations and playing around with them more I was amazed at just how quickly there were probes looking for vulnerabilities and how many of them there were. There’s no such thing as security by obscurity any longer, and I wish that the lectures would incorporate best practices for things like this. Students who are following labs may not know any better, and are more apt to leave instances running for a period of time while trying to learn the material.
Tom.
Thanks for the feedback – we’ll take it on board
Yeah Guard Duty will log SSH probes within seconds — generally coming from China.
SSH probes is one – what surprised me also was looking at top referrers in my CloudFront logs for a S3 static web site that only has plain vanilla html files, and seeing requests that are probing for WordPress vulnerabilities and other common entry points. I haven’t tried Guard Duty yet – will give it a looksie.