Snort Rule to Block Repeated SSH Attempt?

  • I have an SSH host within my network that needs to be exposed to the Internet for legitimate purposes. Unfortunately using public-key auth or changing the SSH port to non-standard isn't an option right now. The passwords are secure, but I'm looking to stop the repeated dictionary attacks using a Snort rule.

    I was surprised a Snort rule didn't already seem to exist to block x number of attempts from IP y in a timeframe z.

    I haven't ever written Snort rules… does anyone have any idea how such a rule would be written?


  • So I did find a rule in emerging-scan.rules, but it wasn't catching these particular dictionary attacks. I modified it to remove the requirements of the SYN and both reserved TCP flags, and to lower the threshold from 5 attempts in 60 seconds to 3 attempts in 300 seconds. We'll see if it works tomorrow. :)

  • If you create a wan rule and limit the number o connections per second. If external ip exceeds the value you defined, it will be blocked for about 02 hours by pfsense.
    You can check blocked ips on diagnosts -> tables.