This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

How to Avoid Remote SSH Scan

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to Avoid Remote SSH Scan

SOC_CSG
L4 Transporter

‎06-24-2015 09:18 AM

Hello

I have a lot of events "deny" followed by other "allow"; All of these to port 22 (SSH) from remote host to several IP(s) in my Untrust and DMZ Zone.

SSH list.jpg

<14>Jun 24 04:01:17 fw2orgt 1,2015/06/24 04:01:16,0003C102047,TRAFFIC,drop,0,2015/06/24 04:01:16,46.228.199.253,213.0.58.124,0.0.0.0,0.0.0.0,rule76,,,not-applicable,vsys1,Untrust,Untrust,ethernet1/3,,ACUNTIA,2015/06/24 04:01:16,0,1,43007,22,0,0,0x0,tcp,deny,74,74,0,1,2015/06/24 04:01:17,0,any,0,418084793,0x0,DE,ES,0,1,0 �

SSH.jpg

http://www.abuseipdb.com/report-history/46.228.199.253

https://cymon.io/46.228.199.253

Categories for this IP 46.228.199.253: Hacking, FTP Brute-force,

The "rule76" is the last in my security policy rules:

rule76.jpg

These attempts could indicate an attack SSH (SSH Port Scan, Brute Force SSH, etc) and more if the source IPs have bad reputation.

Reputation of the other source IP:

http://www.abuseipdb.com/report-history/1.24.247.113

https://cymon.io/1.24.247.113

http://www.abuseipdb.com/report-history/123.212.190.217

https://cymon.io/123.212.190.217

http://www.abuseipdb.com/report-history/91.200.14.96

https://cymon.io/91.200.14.96

http://www.abuseipdb.com/report-history/192.3.108.133

https://cymon.io/192.3.108.133

Actually I have this Zone Proteccion Profile in my firewall:

Zone Protection Profile.jpg

And I applied my Untrust zone:

Zone.jpg

How to Avoid Remote SSH Scan?


I appreciate any help with this issue.

Regards,


0 Likes Likes
1 REPLY 1

gwesson
L7 Applicator

‎06-24-2015 04:44 PM

Based on your Zone Protection Profile, the TCP port scan should trigger if there are 100 entries within a 2-second span. From the first screenshot you uploaded I see that there are 183 events from the IP in question, but no info on events per second (apologies if I missed it). Were those 183 in a very fast time frame or were they spread out?

Regarding your logs, the first 99 entries in a 2-second span would be skipped by the Zone Protection Profile, and would go through normal rule processing. So you should expect to see a fair amount of logs showing it denied by your catch-all rule 76.

With respect to IP reputation, that is not something the Zone Protection Profile would trigger on. Reputation can become a gray area because a legitimate host could be compromised, leading to a false negative.

If you want to increase your interval or decrease the threshold, you should see sooner triggering for scans. You do take the risk of stopping legitimate traffic with too low a threshold, so you may have to experiment with it to find the right levels for your specific environment.

Best regards,

Greg Wesson

0 Likes Likes
  • 2729 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks