Description

This rule is triggered when a connection is made to the SSH service that does not actually try to create an SSH connection. This does not occur with actual SSH client connections. This occurs when a connection does not negotiate with the SSH daemon as an SSH aware client. For example, telneting to the SSH port will generate this alert.

This method is used by attackers to determine if SSH is running on the system, and what version of SSH the system is using.

Log example

sshd[21464]: Bad protocol version identification '\377\364\377\375\006' from UNKNOWN

Troubleshooting

False Positives

Some simple or old monitoring packages may use this method to see if the SSH service is up, which can generate a false positive.

Tuning Guidance

We do not recommend you disable this rule. Instead if your monitoring system is generating this alert, we recommend you whitelist the IP or change to a monitoring solution that actually establishes an SSH aware connection to the SSH service.

If you do not wish to shun on this rule, just change the Rules configuration for Active Response to "no". We do not recommend you disable active response on this rule, as this method is widely used to probe ssh servers.

Additional Information

Similar Rules

HIDS_5706

Knowledge Base Articles

None.

Outside References

None.