cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ssh (or any) threshold?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
VSU_ITSEC
L2 Linker
‎08-28-2014 05:44 AM
‎08-28-2014 05:44 AM

ssh (or any) threshold?

I'm experiencing a ton of hits over ssh to servers that must have ssh access. Is there a way to do threat assessment based on SSH,  port etc – and then automatically shut the attack down?  For example if a certain IP begins sending all that traffic on port 22 within a certain timeframe – we shutdown the traffic and blacklist the IP.  What would be better is to limit this rule to a certain scope – say all of China and Korea where we know attacks tend to happen from – this will help keep down false positives.

thanks

//moe

Tags (2)
0 Likes
Reply
_slv_
L4 Transporter
‎08-28-2014 06:00 AM
‎08-28-2014 06:00 AM

Hi

Are You sure that You have properly configured Threat prevention (enabled on policy that allowing ssh access to servers)?

Look https://threatvault.paloaltonetworks.com/Home/ThreatDetail/40015

there is an id40015   SSH User Authentication Brute-force Attempt signature exactly for Your case.

Regards

Slawek

0 Likes
Reply
VSU_ITSEC
L2 Linker
‎08-28-2014 06:14 AM
‎08-28-2014 06:14 AM

i believe so.  the connections don't match that vulnerability, which i have "reset-both" assigned to it.

0 Likes
Reply
VSU_ITSEC
L2 Linker
‎08-28-2014 06:26 AM
‎08-28-2014 06:26 AM

sshIncident_sample.png

sample

0 Likes
Reply
hshah
L6 Presenter
‎08-28-2014 10:21 AM
‎08-28-2014 10:21 AM

Hi VSU,

Try with DOS Protection or Zone Protection. You should be able to cofigure values in it.

Regards,

Hardik Shah

0 Likes
Reply
hshah
L6 Presenter
‎08-28-2014 12:01 PM
‎08-28-2014 12:01 PM

Hi VSU,

Following Signature will not trigger fo 10 attemts in 1 hour. Count is much higher than that. I guess its around 60 per minute as long as I know.

https://threatvault.paloaltonetworks.com/Home/ThreatDetail/40015

Regards,

Hardik Shah

0 Likes
Reply
_slv_
L4 Transporter
‎08-29-2014 11:37 AM
‎08-29-2014 11:37 AM

Hi VSU

You can verify using custom reports that more than 10 atemp per hour hapend. If yes, Please make a pcap for further troubleshooting by PA support.

Regards

SLawek

0 Likes
Reply
Dz3015
L4 Transporter
‎11-28-2014 09:20 AM
‎11-28-2014 09:20 AM

VSU_ITSEC

I agree with hshah , you could add a DOS profile to your specific SSH rule to throttle sessions.

0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2021 - Palo Alto Networks