Snort Rule to Block Repeated SSH Attempt?
-
I have an SSH host within my network that needs to be exposed to the Internet for legitimate purposes. Unfortunately using public-key auth or changing the SSH port to non-standard isn't an option right now. The passwords are secure, but I'm looking to stop the repeated dictionary attacks using a Snort rule.
I was surprised a Snort rule didn't already seem to exist to block x number of attempts from IP y in a timeframe z.
I haven't ever written Snort rules… does anyone have any idea how such a rule would be written?
Thanks!
-
So I did find a rule in emerging-scan.rules, but it wasn't catching these particular dictionary attacks. I modified it to remove the requirements of the SYN and both reserved TCP flags, and to lower the threshold from 5 attempts in 60 seconds to 3 attempts in 300 seconds. We'll see if it works tomorrow. :)
-
If you create a wan rule and limit the number o connections per second. If external ip exceeds the value you defined, it will be blocked for about 02 hours by pfsense.
You can check blocked ips on diagnosts -> tables.