Defence working against Attack
Now that we have the defence set up, we can verify the defence working by performing an bruteforce attack on the instance. We will use a simple bash script to attack our instance with a predefined list of usernames and passwords.
chmod u+x bruteforce_attack.sh
./bruteforce_attack.sh
You will be prompted to enter an IP. Enter the public IP address of the SSH instance, the script will attempt 10 combinations of username and password. This would be enough for the defence to kick in, since we have set our Alarm Threshold as 5.
We could go to the CloudWatch console, to see that the Alarm goes to in-alarm
state and triggers our SNS topic. Once the SNS topic is triggered, our Lambda function serverless-fn-trigger
will get triggered which will do the analysis on the source of the attack and count of requests that came from a single IP.
Once it determines the number of requests coming from a single IP, it will call the other Lambda function serverless-fn-blockip
with an IP to block. The IP will be added to Dynamo Table and also the Network ACL of the VPC that our SSH machine belongs to.
We can go to the ACL to see that traffic to the IP the requests originated from is added with a DENY.