https://live.paloaltonetworks.com/t5/general-topics/ssh-or-any-threshold/m-p/16814#M12246 <HTML><HEAD></HEAD><BODY><P><IMG alt="sshIncident_sample.png" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/15190_sshIncident_sample.png" style="height: 386px; width: 620px;" /></P><P></P><P>sample</P></BODY></HTML> Thu, 28 Aug 2014 13:26:15 GMT VSU_ITSEC 2014-08-28T13:26:15Z https://live.paloaltonetworks.com/t5/general-topics/ssh-or-any-threshold/m-p/16811#M12243 <HTML><HEAD></HEAD><BODY><P class="MsoNormal"><SPAN style="font-size: 10.5pt; font-family: 'Calibri','sans-serif'; mso-fareast-font-family: 'Times New Roman'; color: black;">I'm experiencing a ton of hits over ssh to servers that must have ssh access. Is there a way to do threat assessment based on SSH,&nbsp; port etc – and then automatically shut the attack down?&nbsp; For example if a certain IP begins sending all that traffic on port 22 within a certain timeframe – we shutdown the traffic and blacklist the IP.&nbsp; What would be better is to limit this rule to a certain scope – say all of China and Korea where we know attacks tend to happen from – this will help keep down false positives.</SPAN></P><P class="MsoNormal"><SPAN style="font-size: 10.5pt; font-family: 'Calibri','sans-serif'; mso-fareast-font-family: 'Times New Roman'; color: black;">thanks</SPAN></P><P class="MsoNormal"><SPAN style="font-size: 10.5pt; font-family: 'Calibri','sans-serif'; mso-fareast-font-family: 'Times New Roman'; color: black;">//moe<BR /></SPAN></P></BODY></HTML> Thu, 28 Aug 2014 12:44:36 GMT https://live.paloaltonetworks.com/t5/general-topics/ssh-or-any-threshold/m-p/16811#M12243 VSU_ITSEC 2014-08-28T12:44:36Z https://live.paloaltonetworks.com/t5/general-topics/ssh-or-any-threshold/m-p/16812#M12244 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>Are You sure that You have properly configured Threat prevention (enabled on policy that allowing ssh access to servers)?</P><P></P><P>Look <A href="https://threatvault.paloaltonetworks.com/Home/ThreatDetail/40015" title="https://threatvault.paloaltonetworks.com/Home/ThreatDetail/40015">https://threatvault.paloaltonetworks.com/Home/ThreatDetail/40015</A></P><P>there is an id40015&nbsp;&nbsp; SSH User Authentication Brute-force Attempt signature exactly for Your case.</P><P></P><P></P><P>Regards</P><P>Slawek</P></BODY></HTML> Thu, 28 Aug 2014 13:00:14 GMT https://live.paloaltonetworks.com/t5/general-topics/ssh-or-any-threshold/m-p/16812#M12244 _slv_ 2014-08-28T13:00:14Z https://live.paloaltonetworks.com/t5/general-topics/ssh-or-any-threshold/m-p/16813#M12245 <HTML><HEAD></HEAD><BODY><P>i believe so.&nbsp; the connections don't match that vulnerability, which i have "reset-both" assigned to it.</P></BODY></HTML> Thu, 28 Aug 2014 13:14:01 GMT https://live.paloaltonetworks.com/t5/general-topics/ssh-or-any-threshold/m-p/16813#M12245 VSU_ITSEC 2014-08-28T13:14:01Z https://live.paloaltonetworks.com/t5/general-topics/ssh-or-any-threshold/m-p/16814#M12246 <HTML><HEAD></HEAD><BODY><P><IMG alt="sshIncident_sample.png" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/15190_sshIncident_sample.png" style="height: 386px; width: 620px;" /></P><P></P><P>sample</P></BODY></HTML> Thu, 28 Aug 2014 13:26:15 GMT https://live.paloaltonetworks.com/t5/general-topics/ssh-or-any-threshold/m-p/16814#M12246 VSU_ITSEC 2014-08-28T13:26:15Z https://live.paloaltonetworks.com/t5/general-topics/ssh-or-any-threshold/m-p/16815#M12247 <HTML><HEAD></HEAD><BODY><P>Hi VSU,</P><P></P><P>Try with DOS Protection or Zone Protection. You should be able to cofigure values in it.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Thu, 28 Aug 2014 17:21:26 GMT https://live.paloaltonetworks.com/t5/general-topics/ssh-or-any-threshold/m-p/16815#M12247 hshah 2014-08-28T17:21:26Z https://live.paloaltonetworks.com/t5/general-topics/ssh-or-any-threshold/m-p/16816#M12248 <HTML><HEAD></HEAD><BODY><P>Hi VSU,</P><P></P><P>Following Signature will not trigger fo 10 attemts in 1 hour. Count is much higher than that. I guess its around 60 per minute as long as I know.</P><P><A class="jive-link-external-small" href="https://threatvault.paloaltonetworks.com/Home/ThreatDetail/40015" rel="nofollow" style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #779308; text-decoration: underline;">https://threatvault.paloaltonetworks.com/Home/ThreatDetail/40015</A></P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Thu, 28 Aug 2014 19:01:48 GMT https://live.paloaltonetworks.com/t5/general-topics/ssh-or-any-threshold/m-p/16816#M12248 hshah 2014-08-28T19:01:48Z https://live.paloaltonetworks.com/t5/general-topics/ssh-or-any-threshold/m-p/16817#M12249 <HTML><HEAD></HEAD><BODY><P>Hi VSU</P><P></P><P>You can verify using custom reports that more than 10 atemp per hour hapend. If yes, Please make a pcap for further troubleshooting by PA support.</P><P></P><P>Regards</P><P>SLawek</P></BODY></HTML> Fri, 29 Aug 2014 18:37:32 GMT https://live.paloaltonetworks.com/t5/general-topics/ssh-or-any-threshold/m-p/16817#M12249 _slv_ 2014-08-29T18:37:32Z https://live.paloaltonetworks.com/t5/general-topics/ssh-or-any-threshold/m-p/16818#M12250 <HTML><HEAD></HEAD><BODY><P><A href="https://live.paloaltonetworks.com/u1/26529">VSU_ITSEC</A></P><P></P><P>I agree with <A href="https://live.paloaltonetworks.com/u1/19490">hshah</A> , you could add a DOS profile to your specific SSH rule to throttle sessions.</P></BODY></HTML> Fri, 28 Nov 2014 17:20:11 GMT https://live.paloaltonetworks.com/t5/general-topics/ssh-or-any-threshold/m-p/16818#M12250 Dz3015 2014-11-28T17:20:11Z