[j-nsp] SSH_Brute_Force events

Corey Robertson robertson.corey at gmail.com
Thu Apr 5 18:37:29 EDT 2012


Changing to a non-standard port is a start. 

You should also look at why SSH is available globally? Locking it down seems like an obvious solution to me. 

Lastly, I know there are some IPS systems which have mitigation options built-in. It's not much more than a script that logs into your gear and adds a /32 null route for the offending host at your edge. I've never been a fan of this from an automatic perspective but /32 null routes for habitual offenders have always been successful for me anyway. 

HTH

--Corey

On Apr 5, 2012, at 5:09 PM, Harri Makela <harri_makela at yahoo.com> wrote:

> Hi Guys
> 
> We are getting "SSH_Brute_Force" alerts quite often from our Intrusion prevention systems (IPS) - ISS GX. 
>        
> Issue Description: We have detected SSH_Brute_Force events sourcing from external IP x.x.x.x targeting multiple internal IPs. This is probably an attempt to gain access to SSH enabled servers.
> 
> What could be best practices to handle these alerts ? i.e.
> 
> change SSH port  system wide from 22 to 10022 ?
> Report the ISP to contact with the customer which is really not a practical solution ?
> 
> Any advice will be highly appreciated. I myself new to this and trying to document the process. 
> 
> Thanks in advance
> HM
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list