I recently was looking through my /var/log/secure for something completely unrelated and I happen to see an attempt of a ssh connection from the same IP over and over.
From what I can tell someone was trying to guess my username and password through SSH to gain access to my system. I've since blocked that IP address for incomming connections..
Thing I am wondering doesCOS tell you of these attempts at some threshold and I missed it? or does it not have the ability?
From what I can tell someone was trying to guess my username and password through SSH to gain access to my system. I've since blocked that IP address for incomming connections..
Thing I am wondering doesCOS tell you of these attempts at some threshold and I missed it? or does it not have the ability?
Share this post:
Responses (3)
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Don't leave port 22 open! at the very least if you are change the default port...better still disable root login, and permit only key based connections. Otherwise you leave yourself vulnerable to these kinds of attacks
The IPS does have some brute force type rules but the threshholds are quite high, so it may have gone un-noticed. Make sure the telnet rules are enabled and have a loot at /etc/snort/telnet.rules
telnet.rules:alert tcp any any -> any 22 ( msg:"SSH potential brute force attack"; flow:to_server; flags:S; threshold:type threshold, track by_src, count 6, seconds 30; classtype:suspicious-login; sid:3000001; rev:5; fwsam:src, 1 day; )
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »