Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort Rule to Block Repeated SSH Attempt?

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 4.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yottabit
      last edited by

      I have an SSH host within my network that needs to be exposed to the Internet for legitimate purposes. Unfortunately using public-key auth or changing the SSH port to non-standard isn't an option right now. The passwords are secure, but I'm looking to stop the repeated dictionary attacks using a Snort rule.

      I was surprised a Snort rule didn't already seem to exist to block x number of attempts from IP y in a timeframe z.

      I haven't ever written Snort rules… does anyone have any idea how such a rule would be written?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • Y
        yottabit
        last edited by

        So I did find a rule in emerging-scan.rules, but it wasn't catching these particular dictionary attacks. I modified it to remove the requirements of the SYN and both reserved TCP flags, and to lower the threshold from 5 attempts in 60 seconds to 3 attempts in 300 seconds. We'll see if it works tomorrow. :)

        1 Reply Last reply Reply Quote 0
        • marcellocM
          marcelloc
          last edited by

          If you create a wan rule and limit the number o connections per second. If external ip exceeds the value you defined, it will be blocked for about 02 hours by pfsense.
          You can check blocked ips on diagnosts -> tables.

          Treinamentos de Elite: http://sys-squad.com

          Help a community developer! ;D

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.