ssh (or any) threshold?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

ssh (or any) threshold?

L2 Linker

I'm experiencing a ton of hits over ssh to servers that must have ssh access. Is there a way to do threat assessment based on SSH,  port etc – and then automatically shut the attack down?  For example if a certain IP begins sending all that traffic on port 22 within a certain timeframe – we shutdown the traffic and blacklist the IP.  What would be better is to limit this rule to a certain scope – say all of China and Korea where we know attacks tend to happen from – this will help keep down false positives.

thanks

//moe

7 REPLIES 7

L4 Transporter

Hi

Are You sure that You have properly configured Threat prevention (enabled on policy that allowing ssh access to servers)?

Look https://threatvault.paloaltonetworks.com/Home/ThreatDetail/40015

there is an id40015   SSH User Authentication Brute-force Attempt signature exactly for Your case.

Regards

Slawek

i believe so.  the connections don't match that vulnerability, which i have "reset-both" assigned to it.

sshIncident_sample.png

sample

Hi VSU,

Try with DOS Protection or Zone Protection. You should be able to cofigure values in it.

Regards,

Hardik Shah

Hi VSU,

Following Signature will not trigger fo 10 attemts in 1 hour. Count is much higher than that. I guess its around 60 per minute as long as I know.

https://threatvault.paloaltonetworks.com/Home/ThreatDetail/40015

Regards,

Hardik Shah

L4 Transporter

Hi VSU

You can verify using custom reports that more than 10 atemp per hour hapend. If yes, Please make a pcap for further troubleshooting by PA support.

Regards

SLawek

VSU_ITSEC

I agree with hshah , you could add a DOS profile to your specific SSH rule to throttle sessions.

  • 4666 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!