ssh (or any) threshold?

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L2 Linker

ssh (or any) threshold?

I'm experiencing a ton of hits over ssh to servers that must have ssh access. Is there a way to do threat assessment based on SSH,  port etc – and then automatically shut the attack down?  For example if a certain IP begins sending all that traffic on port 22 within a certain timeframe – we shutdown the traffic and blacklist the IP.  What would be better is to limit this rule to a certain scope – say all of China and Korea where we know attacks tend to happen from – this will help keep down false positives.

thanks

//moe

Tags (2)
Highlighted
L4 Transporter

Hi

Are You sure that You have properly configured Threat prevention (enabled on policy that allowing ssh access to servers)?

Look https://threatvault.paloaltonetworks.com/Home/ThreatDetail/40015

there is an id40015   SSH User Authentication Brute-force Attempt signature exactly for Your case.

Regards

Slawek

Highlighted
L2 Linker

i believe so.  the connections don't match that vulnerability, which i have "reset-both" assigned to it.

Highlighted
L2 Linker

sshIncident_sample.png

sample

Highlighted
L6 Presenter

Hi VSU,

Try with DOS Protection or Zone Protection. You should be able to cofigure values in it.

Regards,

Hardik Shah

Highlighted
L6 Presenter

Hi VSU,

Following Signature will not trigger fo 10 attemts in 1 hour. Count is much higher than that. I guess its around 60 per minute as long as I know.

https://threatvault.paloaltonetworks.com/Home/ThreatDetail/40015

Regards,

Hardik Shah

Highlighted
L4 Transporter

Hi VSU

You can verify using custom reports that more than 10 atemp per hour hapend. If yes, Please make a pcap for further troubleshooting by PA support.

Regards

SLawek

Highlighted
L4 Transporter

VSU_ITSEC

I agree with hshah , you could add a DOS profile to your specific SSH rule to throttle sessions.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!