[j-nsp] SSH_Brute_Force events

Morgan McLean wrx230 at gmail.com
Thu Apr 5 18:21:14 EDT 2012


Why is SSH exposed from the internet to begin with? Generally not a great
idea. Otherwise, changing from standard port just makes everything more
difficult when dealing with protocols that run over SSH.

These brute force events are usually just bots scanning for insecure
servers, they don't really pose much threat if your sysadmins have things
taken care of.

I am not familiar much with the IPS capabilities..can a rule be written to
block IP's on the fly?

Morgan

On Thu, Apr 5, 2012 at 3:09 PM, Harri Makela <harri_makela at yahoo.com> wrote:

> Hi Guys
>
> We are getting "SSH_Brute_Force" alerts quite often from our Intrusion
> prevention systems (IPS) - ISS GX.
>
> Issue Description: We have detected SSH_Brute_Force events sourcing from
> external IP x.x.x.x targeting multiple internal IPs. This is probably an
> attempt to gain access to SSH enabled servers.
>
> What could be best practices to handle these alerts ? i.e.
>
> change SSH port  system wide from 22 to 10022 ?
> Report the ISP to contact with the customer which is really not a
> practical solution ?
>
> Any advice will be highly appreciated. I myself new to this and trying to
> document the process.
>
> Thanks in advance
> HM
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list