I'm experiencing a ton of hits over ssh to servers that must have ssh access. Is there a way to do threat assessment based on SSH, port etc – and then automatically shut the attack down? For example if a certain IP begins sending all that traffic on port 22 within a certain timeframe – we shutdown the traffic and blacklist the IP. What would be better is to limit this rule to a certain scope – say all of China and Korea where we know attacks tend to happen from – this will help keep down false positives.
Are You sure that You have properly configured Threat prevention (enabled on policy that allowing ssh access to servers)?
there is an id40015 SSH User Authentication Brute-force Attempt signature exactly for Your case.
Following Signature will not trigger fo 10 attemts in 1 hour. Count is much higher than that. I guess its around 60 per minute as long as I know.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!