Guardduty alerts for recon - false positive?

I received an alert last week from Guardduty saying that "An EC2 instance has an unprotected port which is being probed by a known malicious host." We have double and triple checked security groups- by myself and 2 other AWS admins. We have tried to access the supposed exposed port directly and tried port scans on the public IP from multiple hosts- all report the port is closed and AWS security group controls are working perfectly. How can I determine WHY Guardduty alerted on this port probe because ALL indicators are that my EC2 instance is locked tight. I find ZERO evidence this port is exposed.

Topics

Security, Identity, & Compliance AWS Well-Architected Framework Networking & Content Delivery

Tags

Amazon GuardDuty Security Security Group

Language

English

Anthony

asked a month ago425 views

3 Answers

Newest
Most votes
Most comments

Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.

Accepted Answer

Talked to one of the developers- they were doing some testing and the security groups i saw when reviewing the alert were different than the security groups at the time the alert occurred.

Anthony

answered a month ago

Hello,

Refer this documentation on how to remediate the finding Recon:EC2/PortProbeUnprotectedPort, https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portprobeunprotectedport_description

https://repost.aws/knowledge-center/resolve-guardduty-unprotectedport-alerts

You can ignore the finding if you're sure that the EC2 instance is secure.

EXPERT

Sivaraman Selvam

answered a month ago

I'm reasonably sure that GuardDuty is correct in reporting the finding. It simply inspects your VPC flow logs and looks for repeated connections to ports other than ordinarily needed ones (like tcp/443) and reports if it observes matching traffic passing through. There must be a security group that's permitting the traffic flow the GuardDuty finding is showing.

Does your EC2 instance perhaps have multiple network interfaces? Security groups are attached separately to each ENI, despite a single set of them appearing in the instance properties, so one interface could have a security group attached that permits traffic while another interface wouldn't.

Or, could traffic be entering through a Network Load Balancer (NLB), and instead of the attacker's public IP address being permitted in the security group rules of your EC2 instance, the NLB's security group would allow it, and the security group of the EC2 instance would allow traffic from the NLB's security group?

EXPERT

Leo K

answered a month ago

Relevant content

EKS Network Load Balancer Port Probing
Victor
asked 10 months ago
GuardDuty False Positive Rates
AWS-User-2792197
asked 2 years ago
AWS GuardDuty alert retriggered
Karthikeyan Sundararajan
asked 2 years ago
Why GuardDuty keeps alerting my instance "Trojan:EC2/DGADomainRequest.B"
DD-Boom
asked a year ago
Why did I receive the GuardDuty finding type alert Recon:EC2/PortProbeUnprotectedPort for my Amazon EC2 instance?
AWS OFFICIALUpdated 2 years ago
Why did I receive an Amazon GuardDuty finding type UnauthorizedAccess:IAMUser/TorIPCaller or Recon:IAMUser/TorIPCaller alerts for my IAM user or role?
AWS OFFICIALUpdated 2 years ago
Why did I receive the GuardDuty finding type alert UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS for my Amazon EC2 instance?
AWS OFFICIALUpdated 4 months ago
I received GuardDuty UnauthorizedAccess brute force finding type alerts for my Amazon EC2 instance. What should I do?
AWS OFFICIALUpdated 4 months ago
Proactive Monitoring and Alerting for EKS AWS API Calls Using CloudWatch
EXPERT
Sherif
published 2 months ago
Create custom alerts in Amazon Redshift
EXPERT
Rick Fraser
published 9 months ago