SSH Brute Force Attack ...

[John Dworske]

Security Onion Folks,

[2016-03-08 21:55:35] ALERT 2.222639 from sfo-ids-02-eth1-1: ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack. 81.212.109.229 (81.212.109.229.static.turktelekom.com.tr):56833 -> 192.168.11.10 (sfo-xxx.myxx.com):22

So regarding the above mentioned ALERT that I am getting.

What is the best practice for handling alerts like this ?

Should we be concerned that it appears that someone in Turkey is attempting to SSH into one of our systems ?

Thank you,

--

John Dworske

Systems Administrator

MyVest.com

Office: 415.284.2789

Cell:    415.351.8598

Confidentiality Notice and Disclaimer:  The information contained in this e-mail and any attachments, is not transmitted by secure means and may also be legally privileged and confidential.  If you are not an intended recipient, you are hereby notified that any dissemination, distribution, or copying of this e-mail is strictly prohibited.  If you have received this e-mail in error, please notify the sender and permanently delete the e-mail and any attachments immediately. You should not retain, copy or use this e-mail or any attachment for any purpose, nor disclose all or any part of the contents to any other person. MyVest Corporation, MyVest Advisors and their affiliates accept no responsibility for any unauthorized access and/or alteration or dissemination of this communication nor for any consequence based on or arising out of the use of information that may have been illegitimately accessed or altered.

[Josh More]

If you're exposing SSH to the world, first try to restrict SSH to authorized IP addresses. If that's not possible, consider making SSH listen internally and requiring people to come in via a VPN.

If neither of these are feasible, block unwanted countries using GEOIP on a firewall and install fail2ban on the server.

-Josh

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[Shane Castle]

Yep. This would be a good use for SnortSam, too.

On 08.03.2016 23:36, Josh More wrote:
> If you're exposing SSH to the world, first try to restrict SSH to authorized IP
> addresses. If that's not possible, consider making SSH listen internally and
> requiring people to come in via a VPN.
>
> If neither of these are feasible, block unwanted countries using GEOIP on a
> firewall and install fail2ban on the server.
>
> -Josh
>
> On Tue, Mar 8, 2016 at 4:34 PM, John Dworske <jdwo...@myvest.com
> <mailto:jdwo...@myvest.com>> wrote:
>
>
> Security Onion Folks,
>
> [2016-03-08 21:55:35] ALERT 2.222639 from sfo-ids-02-eth1-1: ET SCAN LibSSH
> Based Frequent SSH Connections Likely BruteForce Attack. 81.212.109.229
> (81.212.109.229.static.turktelekom.com.tr

> <http://81.212.109.229.static.turktelekom.com.tr/>):56833 -> 192.168.11.10
> (sfo-xxx.myxx.com <http://sfo-passport1.myvest.com/>):22

>
> So regarding the above mentioned ALERT that I am getting.
>
> What is the best practice for handling alerts like this ?
>
> Should we be concerned that it appears that someone in Turkey is attempting
> to SSH into one of our systems ?
>
> Thank you,
>
> --
> John Dworske
> Systems Administrator
> MyVest.com

> Office: 415.284.2789 <tel:415.284.2789>
> Cell: 415.351.8598 <tel:415.351.8598>

>
> Confidentiality Notice and Disclaimer: The information contained in this
> e-mail and any attachments, is not transmitted by secure means and may also
> be legally privileged and confidential. If you are not an intended
> recipient, you are hereby notified that any dissemination, distribution, or
> copying of this e-mail is strictly prohibited. If you have received this
> e-mail in error, please notify the sender and permanently delete the e-mail
> and any attachments immediately. You should not retain, copy or use this
> e-mail or any attachment for any purpose, nor disclose all or any part of
> the contents to any other person. MyVest Corporation, MyVest Advisors and
> their affiliates accept no responsibility for any unauthorized access and/or
> alteration or dissemination of this communication nor for any consequence
> based on or arising out of the use of information that may have been
> illegitimately accessed or altered.
>
> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onio...@googlegroups.com

> <mailto:security-onio...@googlegroups.com>.

> To post to this group, send email to securit...@googlegroups.com

> <mailto:securit...@googlegroups.com>.

> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
>
>

> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email
> to security-onio...@googlegroups.com

> <mailto:security-onio...@googlegroups.com>.

> To post to this group, send email to securit...@googlegroups.com

> <mailto:securit...@googlegroups.com>.

> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.

--
Mit besten Grüßen
Shane Castle