[Snort-sigs] SSH Scans

Frank Knobbe frank at ...1978...
Mon Aug 23 13:31:02 EDT 2004


On Mon, 2004-08-23 at 15:12, Matthew Jonkman wrote:
> Definitely something to adjust locally I think. We have a lot of people 
> coming from single sites and IP's as well, but it'd be pretty rare that 
> 5 new connections to the same box opened up within a minute I'd think.

In case specifically for SSH, sure, there's room to play. My caution was
for general threshold rules. Single IP != Single User  :)

In regards to SSH, though, I would restrict access to SSH with (a)
firewall(s) to those locations that need to log in. (insert your
favorite prevention-cure-quote here ;)  That way you don't even open
yourself to SSH brute force attacks.

Then, having limited the scope for the rule through firewall ACLs, you
can probably even better tune the threshold values.

Cheers,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040823/d7e2357f/attachment.sig>


More information about the Snort-sigs mailing list