[j-nsp] SSH_Brute_Force events
Corey Robertson
robertson.corey at gmail.com
Thu Apr 5 18:37:29 EDT 2012
Changing to a non-standard port is a start.
You should also look at why SSH is available globally? Locking it down seems like an obvious solution to me.
Lastly, I know there are some IPS systems which have mitigation options built-in. It's not much more than a script that logs into your gear and adds a /32 null route for the offending host at your edge. I've never been a fan of this from an automatic perspective but /32 null routes for habitual offenders have always been successful for me anyway.
HTH
--Corey
On Apr 5, 2012, at 5:09 PM, Harri Makela <harri_makela at yahoo.com> wrote:
> Hi Guys
>
> We are getting "SSH_Brute_Force" alerts quite often from our Intrusion prevention systems (IPS) - ISS GX.
>
> Issue Description: We have detected SSH_Brute_Force events sourcing from external IP x.x.x.x targeting multiple internal IPs. This is probably an attempt to gain access to SSH enabled servers.
>
> What could be best practices to handle these alerts ? i.e.
>
> change SSH port system wide from 22 to 10022 ?
> Report the ISP to contact with the customer which is really not a practical solution ?
>
> Any advice will be highly appreciated. I myself new to this and trying to document the process.
>
> Thanks in advance
> HM
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list