Q

Brute-force SSH attack prevention depends on network monitoring basics

Expert Brad Casey discusses why effective brute-force SSH attack prevention means improving network monitoring instead of closing TCP port 22.

I've noticed an uptick in brute-force SSH attack attempts on non-standard ports on our network. What do you think

could be behind this, and how should I can go about securing those ports?

When you see an uptick in any type of attack, this could be an indicator that attackers sense vulnerability in a certain area. In this particular instance, some pockets of the IT world utilize non-standard ports for SSH access with the idea that attackers can be fooled by TCP port 22 being closed. I’ve never considered obscurity to be a viable security measure, so if your organization is employing this SSH attack prevention strategy, I would suggest reassessing whether it is actually working. 

However, if you feel strongly about pressing ahead with this SSH attack prevention method, I would suggest configuring your firewall and/or intrusion detection system to trigger an alarm whenever an unusually large number of login attempts is detected. As this information changes from network to network, you will have to determine the threshold based on your specific network metrics. Also make sure you have a strict lockout policy when a certain number of failed login attempts is reached. 

When it comes to SSH attack prevention, always check your logs. If your organization is like most, it probably maintains some sort of scripting mechanism that parses through the logs looking for anomalies – for example fail2ban. However, nothing is quite as affective as human intuition. Pay particular attention to the non-standard ports you’ve authorized for SSH access, and use common sense when monitoring its activity.

This was first published in April 2013

Dig deeper on Password Management and Policy

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close