SSH Brute Force and Suricata

SSH Brute Force and Suricata

Since SSH is one of the most pervasive ways to manage servers remotely, it is also one of the most plagued by brute force attacks. What follows is a simple set of Suricata rules to stop the majority of SSH brute force attacks. It will drop connections based on the reported SSH client version.

There are other more effective measures that can be implemented to block these type of attacks (two factor authentication, IP white list, etc.). Admittedly these rules won’t stop the willing attacker, they will however stop the lazy one, that is looking for the low hanging fruit.

 These rules are released under GPLv3.
 The last three rules are commented out, they depend on the client used by the actual authorized users clients.

Now, onto sleeping more easily at night ;)

Categories

bug-bounty case-study configuration cve education encryption exploit game idps incident-response linux malware memory-forensics network reconnaissance reverse-engineering virtualization windows

Tags

active-directory activobank acunetix-wvs android applocker aruba-networks banco-popular banco-portugues-de-investimento banking barclays bios brute-force bugcrowd caixa-geral-de-depositos caixadirecta cheat cisco-anyconnect csharp cuckoo-sandbox curious-fish emofishes emotions enterprise-linux fireeye hp hpqpswdd hugo intimacy lemp millennium novo-banco paranoid-fish passwords portuguese portugueses powascripts powershell qemu senhas sexuality ssh suricata titan-quest tls tq-invincible virtualbox volatility vpn wordpress yara