[Snort-sigs] SSH Scans

Matthew Jonkman matt at ...2436...
Mon Aug 23 13:35:02 EDT 2004

Frank Knobbe wrote:
> In case specifically for SSH, sure, there's room to play. My caution was
> for general threshold rules. Single IP != Single User  :)
> In regards to SSH, though, I would restrict access to SSH with (a)
> firewall(s) to those locations that need to log in. (insert your
> favorite prevention-cure-quote here ;)  That way you don't even open
> yourself to SSH brute force attacks.
> Then, having limited the scope for the rule through firewall ACLs, you
> can probably even better tune the threshold values.

Ya, that'd be nice. I don't control all the nets we monitor though. I 
can recommend till I'm blue in the face, but things like that often 
don't get done. :)

You're definitely right though. If can have a set number of sources you 
should control access. Just like a term server. :)

Thanks Frank.


More information about the Snort-sigs mailing list