How to prevent unauthorize access of aws SSH Instance .

 One of my client site was down due to DDoS attack and may be someone try to login in SSH using multiple time.  Here Is log I got from Server 

auth.log file  located in   /var/log/  folder 

Dec 12 18:02:17 ip-*.*.*.* sshguard[2569]: Attack from "5.42.82.235" on service SSH with danger 10.

Dec 12 18:02:18 ip-*.*.*.* sshd[4518]: fatal: Timeout before authentication for 210.22.98.28 port 55870

Dec 12 18:02:24ip-*.*.*.* sshd[4539]: Received disconnect from 104.168.35.201 port 60132:11: Bye Bye [preauth]

Dec 12 18:02:24 ip-*.*.*.* sshd[4539]: Disconnected from authenticating user root 104.168.35.201 port 60132 [preauth]

Dec 12 18:02:24 ip-*.*.*.* sshguard[2569]: Attack from "104.168.35.201" on service SSH with danger 10.

Dec 12 18:02:24 ip-*.*.*.* sshguard[2569]: Blocking "104.168.35.201/32" for 480 secs (3 attacks in 132 secs, after 3 abuses over 981 secs.)

Dec 12 18:02:47 iip-*.*.*.* sshd[4543]: Received disconnect from 103.130.214.137 port 60030:11: Bye Bye [preauth]

Dec 12 18:02:47 ip-*.*.*.* sshd[4543]: Disconnected from authenticating user root 103.130.214.137 port 60030 [preauth]

Dec 12 18:02:48 ip-*.*.*.* sshguard[2569]: Attack from "103.130.214.137" on service SSH with danger 10.

Dec 12 18:02:48 ip-*.*.*.* sshguard[2569]: Blocking "103.130.214.137/32" for 240 secs (3 attacks in 113 secs, after 2 abuses over 731 secs.)

Dec 12 18:02:54 ip-*.*.*.* sshd[4547]: Received disconnect from 137.184.76.77 port 37600:11: Bye Bye [preauth]

Dec 12 18:02:54 ip-*.*.*.* sshd[4547]: Disconnected from authenticating user root 137.184.76.77 port 37600 [preauth]

Dec 12 18:02:54 ip-*.*.*.* sshguard[2569]: Attack from "137.184.76.77" on service SSH with danger 10.

Dec 12 18:02:54 ip-*.*.*.* sshguard[2569]: Blocking "137.184.76.77/32" for 480 secs (3 attacks in 136 secs, after 3 abuses over 863 secs.)

Dec 12 18:03:27 ip-*.*.*.* sshd[4552]: Received disconnect from 5.42.82.235 port 48328:11: Bye Bye [preauth]

Dec 12 18:03:27 ip-*.*.*.* sshd[4552]: Disconnected from authenticating user root 5.42.82.235 port 48328 [preauth]

Dec 12 18:03:28 ip-*.*.*.* sshguard[2569]: Attack from "5.42.82.235" on service SSH with danger 10.

Dec 12 18:04:28 ip-*.*.*.* sshguard[2569]: 92.205.18.100: unblocking after 983 secs

Dec 12 18:04:45 ip-*.*.*.* sshd[4559]: Invalid user markus from 5.42.82.235 port 33684

Dec 12 18:04:45 ip-*.*.*.* sshd[4559]: Received disconnect from 5.42.82.235 port 33684:11: Bye Bye [preauth]

SSHGuard Was alredy enabled .  So I open the port 22 and 443 using these commands 

1) sudo ufw status

2) sudo apt update

3) sudo apt install ufw

4) sudo ufw allow 22

5) sudo ufw allow 443

6) sudo ufw enable

7) sudo ufw status

After doing all steps It shows like that :  

sudo ufw status

Status: active

To                         Action      From

--                         ------      ----

22                         ALLOW       Anywhere                  

443                        ALLOW       Anywhere                  

22 (v6)                    ALLOW       Anywhere (v6)             

443 (v6)                   ALLOW       Anywhere (v6)  

Hope It will stop malicious attempt..

 

Thanks