Difference between revisions of "HIDS 5706"
(Created page with "{{Infobox |header1= Rule 5706 |label2 = Status |data2 = Active |label3 = Alert Message |data3 = SSH insecure connection attempt (scan). }} = Description = This rule is trig...") |
Revision as of 13:49, 5 October 2013
Rule 5706 | |
---|---|
Status | Active |
Alert Message | SSH insecure connection attempt (scan). |
Contents |
Description
This rule is triggered when a system connects to the sshd service but does not attempt to actually create an SSH connection. For example, if an attacker probes the port to see if SSH is running. SSH clients will not generate this alert. They actually create a connection with the service, this alert will only occur if a probe against the port is initiated.
nmap, for example, uses this method with its version scan and will generate this alert.
Log example
sshd[21424]: Did not receive identification string from 1.2.3.4
Troubleshooting
False Positives
Some simple or old monitoring packages may use this method to see if the SSH service is up, which can generate a false positive. We do not recommend you disable this rule.
Tuning Guidance
Instead if your monitoring system is generating this alert, we recommend you whitelist the IP or change to a monitoring solution that actually establishes an SSH aware connection to the SSH service.
If you do not wish to shun on this rule, just change the Rules configuration for Active Response to "no". We do not recommend you disable active response on this rule, as this method is widely used to probe ssh servers.
Additional Information
Similar Rules
Knowledge Base Articles
None.
Outside References
None.