[j-nsp] SSH_Brute_Force events

[Pavel Lunin]

We are getting "SSH_Brute_Force" alerts quite often from our Intrusion
> prevention systems (IPS) - ISS GX.
>
> [...]


> What could be best practices to handle these alerts ? i.e.
>

Configure rate-limits to ssh. E. g. n attempts per something from a single
IP. JUNOS has such an option under ssh stanza.

change SSH port  system wide from 22 to 10022 ?
>

Agree to previous comments. Only reason for this is to make your own life
harder (sometimes needed to distinguish hosts using PAT). But port scanners
know their business well.

Some folks manage to have "single entry point" SSH server exposed to
outside, using which they SSH to devices 'from inside'. Other people run
user-VPNs for only this, which is IMHO too fancy.


> Report the ISP to contact with the customer which is really not a
> practical solution ?
>

Haven't ever seen this gave any result, though a try isn't worth much. But
this can help the people (if they care, which is not always the case), from
whom the attack sourced, but not you. Such things are usually sourced from
hacked machines, so even if you manage to get rid of a particular source,
the attacker probably has plenty of others.

Good news is that the brute force SSH attack is such a frequent thing
(usually automated), that it does not necessarily mean someone is trying to
bruteforce particularly you (commercial attacks are usually much wiser or
just DDoS). Bruteforcers are simply hacking everything not nailed down.
Doesn't mean you don't have to protect from it though.