SSH service publicly accessible

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when multiple external connections are made to the port for SSH (22).

Strategy

Production hosts should not be publicly-accessible via SSH. Incoming connections from multiple public IP addresses indicate an exposed instance.

Triage and response

  1. Review all events for connections from unexpected IP addresses.
  2. Move the sshd service to a private network. If you must expose the host through SSH, restrict access with a security group.
  3. Review login events and related signals for malicious activity.

This detection is based on data from Cloud Network Monitoring.