SSH Brute Force and Suricata
Since SSH is one of the most pervasive ways to manage servers remotely, it is also one of the most plagued by brute force attacks. What follows is a simple set of Suricata rules to stop the majority of SSH brute force attacks. It will drop connections based on the reported SSH client version.
There are other more effective measures that can be implemented to block these type of attacks (two factor authentication, IP white list, etc.). Admittedly these rules won’t stop the willing attacker, they will however stop the lazy one, that is looking for the low hanging fruit.
These rules are released under GPLv3.
The last three rules are commented out, they depend on the client used by the actual authorized users clients.
Now, onto sleeping more easily at night ;)
Categories
Tags
active-directory
activobank
acunetix-wvs
android
applocker
aruba-networks
banco-popular
banco-portugues-de-investimento
banking
barclays
bios
brute-force
bugcrowd
caixa-geral-de-depositos
caixadirecta
cheat
cisco-anyconnect
csharp
cuckoo-sandbox
curious-fish
emofishes
emotions
enterprise-linux
fireeye
hp
hpqpswdd
hugo
intimacy
lemp
millennium
novo-banco
paranoid-fish
passwords
portuguese
portugueses
powascripts
powershell
qemu
senhas
sexuality
soho
ssh
suricata
technicolor
titan-quest
tls
tq-invincible
virtualbox
volatility
vpn
wordpress
yara