4. Snort Rule to Block Repeated SSH Attempt?

Snort Rule to Block Repeated SSH Attempt?

  • Y

    I have an SSH host within my network that needs to be exposed to the Internet for legitimate purposes. Unfortunately using public-key auth or changing the SSH port to non-standard isn't an option right now. The passwords are secure, but I'm looking to stop the repeated dictionary attacks using a Snort rule.

    I was surprised a Snort rule didn't already seem to exist to block x number of attempts from IP y in a timeframe z.

    I haven't ever written Snort rules… does anyone have any idea how such a rule would be written?

    Thanks!

    0
  • Y

    So I did find a rule in emerging-scan.rules, but it wasn't catching these particular dictionary attacks. I modified it to remove the requirements of the SYN and both reserved TCP flags, and to lower the threshold from 5 attempts in 60 seconds to 3 attempts in 300 seconds. We'll see if it works tomorrow. :)

    0

  • If you create a wan rule and limit the number o connections per second. If external ip exceeds the value you defined, it will be blocked for about 02 hours by pfsense.
    You can check blocked ips on diagnosts -> tables.

    0
Locked
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy