How to Avoid Remote SSH Scan

Reply
Highlighted
L4 Transporter

How to Avoid Remote SSH Scan

Hello

I have a lot of events "deny" followed by other "allow"; All of these to port 22 (SSH) from remote host to several IP(s) in my Untrust and DMZ Zone.

SSH list.jpg

<14>Jun 24 04:01:17 fw2orgt 1,2015/06/24 04:01:16,0003C102047,TRAFFIC,drop,0,2015/06/24 04:01:16,46.228.199.253,213.0.58.124,0.0.0.0,0.0.0.0,rule76,,,not-applicable,vsys1,Untrust,Untrust,ethernet1/3,,ACUNTIA,2015/06/24 04:01:16,0,1,43007,22,0,0,0x0,tcp,deny,74,74,0,1,2015/06/24 04:01:17,0,any,0,418084793,0x0,DE,ES,0,1,0 �

SSH.jpg

http://www.abuseipdb.com/report-history/46.228.199.253

https://cymon.io/46.228.199.253

Categories for this IP 46.228.199.253: Hacking, FTP Brute-force,

The "rule76" is the last in my security policy rules:

rule76.jpg

These attempts could indicate an attack SSH (SSH Port Scan, Brute Force SSH, etc) and more if the source IPs have bad reputation.

Reputation of the other source IP:

http://www.abuseipdb.com/report-history/1.24.247.113

https://cymon.io/1.24.247.113

http://www.abuseipdb.com/report-history/123.212.190.217

https://cymon.io/123.212.190.217

http://www.abuseipdb.com/report-history/91.200.14.96

https://cymon.io/91.200.14.96

http://www.abuseipdb.com/report-history/192.3.108.133

https://cymon.io/192.3.108.133

Actually I have this Zone Proteccion Profile in my firewall:

Zone Protection Profile.jpg

And I applied my Untrust zone:

Zone.jpg

How to Avoid Remote SSH Scan?


I appreciate any help with this issue.

Regards,


L7 Applicator

Re: How to Avoid Remote SSH Scan

Based on your Zone Protection Profile, the TCP port scan should trigger if there are 100 entries within a 2-second span. From the first screenshot you uploaded I see that there are 183 events from the IP in question, but no info on events per second (apologies if I missed it). Were those 183 in a very fast time frame or were they spread out?

Regarding your logs, the first 99 entries in a 2-second span would be skipped by the Zone Protection Profile, and would go through normal rule processing. So you should expect to see a fair amount of logs showing it denied by your catch-all rule 76.

With respect to IP reputation, that is not something the Zone Protection Profile would trigger on. Reputation can become a gray area because a legitimate host could be compromised, leading to a false negative.

If you want to increase your interval or decrease the threshold, you should see sooner triggering for scans. You do take the risk of stopping legitimate traffic with too low a threshold, so you may have to experiment with it to find the right levels for your specific environment.

Best regards,

Greg Wesson

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!