Skip to main content

Bad External Client IP Address

This alert occurs when Lacework detects attempted connections from known malicious IPs to processes in your infrastructure. These connections are flagged by Lacework based on threat intelligence sources.

This alert is triggered once every 24 hours, summarizing all attempted connections from these bad IPs to software processes across your monitored infrastructure. For instance, it provides a daily summary of connection attempts to processes such as sshd (SSH) or Nginx across all infrastructure.

note

This alert does not confirm successful connections, and further investigation is required to assess any potential malicious activity.

Why this alert is important

Attackers frequently scan the internet for vulnerabilities and misconfigured services such as SSH interfaces with weak passwords. This alert summarizes such activity that occurs within a 24-hour timeframe, helping you identify probed processes or services.

For instance, if you have an internal policy that strictly prohibits SSH access except through a private bastion host requiring VPN authentication, any connection from a bad external client IP address to an SSH service should raise concerns. This alert can help identify instances where SSH has been inadvertently exposed externally within your infrastructure.

Why this might be just fine

Certain services, especially those that are customer-facing and revenue-generating, may require public accessibility, making them susceptible to scanning from malicious IP addresses. Unless there is additional evidence such as subsequent alerts, successful logins, or indications of tampering, this alert can be treated as informational in nature.

Investigation

Each instance of this alert requires investigation. When examining the Alert Details in the Lacework Console, direct your attention to the following critical areas:

  1. Review the What section to verify whether the entities or applications mentioned in this alert should be exposed to the internet. Incorrect exposure of services, especially with weak or default passwords on their administrative interfaces, can lead to unauthorized access by attackers.
  2. Review the Where section to obtain the number of connections and the data transfer size associated with each connection. Consider investigating further if the data transferred exceeds 10 KB per connection, as this may indicate the exchange of significant information.
  3. Investigate machines listed in the What section where sshd (SSH) is involved by clicking the hostname and access the User Login Activity and Bad Login Summary cards. This will provide insights into any attempted SSH connections from bad IPs and whether they were successful.

Resolution

If the activity associated with IP was successful, remediate damaged services, inspect for signs of persistence and lateral movement. If possible, block future communications from the IP. Additionally, determine if the application in question should be internet-accessible.