[Snort-sigs] SSH Scans
matt at ...2436...
Mon Aug 23 13:35:02 EDT 2004
Frank Knobbe wrote:
> In case specifically for SSH, sure, there's room to play. My caution was
> for general threshold rules. Single IP != Single User :)
> In regards to SSH, though, I would restrict access to SSH with (a)
> firewall(s) to those locations that need to log in. (insert your
> favorite prevention-cure-quote here ;) That way you don't even open
> yourself to SSH brute force attacks.
> Then, having limited the scope for the rule through firewall ACLs, you
> can probably even better tune the threshold values.
Ya, that'd be nice. I don't control all the nets we monitor though. I
can recommend till I'm blue in the face, but things like that often
don't get done. :)
You're definitely right though. If can have a set number of sources you
should control access. Just like a term server. :)
More information about the Snort-sigs