Anomalous failed SSH authentication attempts by a single IP address
Set up the zeek integration.
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect when an anomalous number of failed SSH authentication attempts have been made by a single IP address.
Strategy
This rule monitors Zeek SSH logs for when there has been an anomalous number of failed SSH authentication attempts by a single IP address. Attackers may try to brute force access to a server to gain direct or lateral access to a victim’s environment.
Triage and response
- Verify whether the client IP
{{@network.client.ip}}
is internal or external. - For internal IPs, identify the corresponding host and collaborate with the owner to investigate any host-based alerts, addressing potential compromises.
- For external IPs, assess the IP address reputation, specifically looking for associations with SSH-based attacks, and determine if the destination host should be accessible via external IPs over SSH.