Difference between revisions of "HIDS 5706"
m (→Description) |
m (→False Positives) |
||
| (2 intermediate revisions by one user not shown) | |||
| Line 9: | Line 9: | ||
= Description = | = Description = | ||
| − | This rule is triggered when a system connects to the sshd service but does not attempt to actually create an SSH connection. For example, if an attacker probes the port to see if SSH is running. SSH clients will not generate this alert. They | + | This rule is triggered when a system connects to the sshd service but does not attempt to actually create an SSH connection. For example, if an attacker probes the port to see if SSH is running. SSH clients will not generate this alert. They create a full connection with the service, this alert will only occur if a probe against the port is initiated or if a client terminates the connection before finishing setting it up. |
nmap, for example, uses this method with its version scan and will generate this alert. | nmap, for example, uses this method with its version scan and will generate this alert. | ||
| + | |||
| + | Some primitive software packages will "probe" the ssh port before attempting to connect to it, instead of actually connecting. If you are using software of this type and you need to allow probes of your ssh port, you will need to disable active response for this rule. | ||
== Log example == | == Log example == | ||
| Line 21: | Line 23: | ||
== False Positives == | == False Positives == | ||
| − | Some simple or old monitoring packages may use this method to see if the SSH service is | + | Some simple or old monitoring packages may use this method to see if the SSH service is listening, which can generate this alert. We do not recommend you disable this rule. |
== Tuning Guidance == | == Tuning Guidance == | ||
Latest revision as of 13:11, 27 October 2015
| Rule 5706 | |
|---|---|
| Status | Active |
| Alert Message | SSH insecure connection attempt (scan). |
Contents |
[edit] Description
This rule is triggered when a system connects to the sshd service but does not attempt to actually create an SSH connection. For example, if an attacker probes the port to see if SSH is running. SSH clients will not generate this alert. They create a full connection with the service, this alert will only occur if a probe against the port is initiated or if a client terminates the connection before finishing setting it up.
nmap, for example, uses this method with its version scan and will generate this alert.
Some primitive software packages will "probe" the ssh port before attempting to connect to it, instead of actually connecting. If you are using software of this type and you need to allow probes of your ssh port, you will need to disable active response for this rule.
[edit] Log example
sshd[21424]: Did not receive identification string from 1.2.3.4
[edit] Troubleshooting
[edit] False Positives
Some simple or old monitoring packages may use this method to see if the SSH service is listening, which can generate this alert. We do not recommend you disable this rule.
[edit] Tuning Guidance
Instead if your monitoring system is generating this alert, we recommend you whitelist the IP or change to a monitoring solution that actually establishes an SSH aware connection to the SSH service.
If you do not wish to shun on this rule, just change the Rules configuration for Active Response to "no". We do not recommend you disable active response on this rule, as this method is widely used to probe ssh servers.
[edit] Additional Information
[edit] Similar Rules
[edit] Knowledge Base Articles
None.
[edit] Outside References
None.
