Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Monitor OpenSSH server with Snort?

  1. #1
    Join Date
    Apr 2008
    Location
    Virginia
    Beans
    31
    Distro
    Ubuntu 9.04 Jaunty Jackalope

    Monitor OpenSSH server with Snort?

    I'm running an SSH server for encrypted communications when connecting to my desktop remotely.

    I have set SSH to operate on a non-standard port (22002) and was wondering whether anyone has, or considers it important, to set up Snort IDS to monitor port 22002 (SSH server) for attacks.

    If so, are there any special flags you like to run with Snort or preferential way to set up the Snort config file?


    Thanks!

  2. #2
    Join Date
    Jun 2007
    Location
    The Netherlands
    Beans
    1,278
    Distro
    Ubuntu Development Release

    Re: Monitor OpenSSH server with Snort?

    As far as I could tell there is no ssh rule in the default ubuntu snort install. Maybe this is because monitoring ssh can be cpu intensive. I have however added a snort rule to monitor my ssh traffic, and cpu usage is allright.

    Code:
    alert tcp $EXTERNAL_NET any -> $HOME_NET 22002 (msg:"SSH incoming"; flow:stateless; flags:S+; sid:100006927; rev:1;)
    The rule is not very informative yet, maybe there are ones out there that better suit your needs. But it tells me if someone is fiddling around with my ssh port.

  3. #3
    Join Date
    Aug 2006
    Beans
    841

    Re: Monitor OpenSSH server with Snort?

    fail2ban monitors auth logs for failed authentications and bans ips accordingly.


    quite handy and easy to setup.

  4. #4
    Join Date
    Apr 2008
    Location
    Virginia
    Beans
    31
    Distro
    Ubuntu 9.04 Jaunty Jackalope

    Re: Monitor OpenSSH server with Snort?

    alert tcp $EXTERNAL_NET any -> $HOME_NET 22002 (msg:"SSH incoming"; flow:stateless; flags:S+; sid:100006927; rev:1
    OK, so as long as you have your "HOME_NET" defined in the conf file, this will alert you based on any activity over the desired port, which in this case is 22002? I suppose I would be most interested in multiple failed authentications.

    fail2ban monitors auth logs for failed authentications and bans ips accordingly
    I'll look into this utility before I start asking you questions about functionality and being able to specify which logs to monitor, etc. Thanks!!

  5. #5
    Join Date
    Dec 2006
    Beans
    157
    Distro
    Ubuntu 8.04 Hardy Heron

    Re: Monitor OpenSSH server with Snort?

    I would suggest a couple of things to limit the attack vectors on your ssh server.

    1) Disable password authentication and only use public key auth (eliminates brute force password attacks)
    2) Disable TCPKeepAlive and use ClientAliveInterval instead to prevent TCP Spoofing attacks
    3) Use the AllowUsers option
    4) Set MaxAUthTries to something like 2, this could frustrate attacks (although they are probably using scripts, so they probably won't care or notice).

    I know that wasn't really your question, but I though I would throw it out there and see if it helped. Hope it did

  6. #6
    Join Date
    Apr 2008
    Location
    Virginia
    Beans
    31
    Distro
    Ubuntu 9.04 Jaunty Jackalope

    Re: Monitor OpenSSH server with Snort?

    Quote Originally Posted by gaten View Post
    I would suggest a couple of things to limit the attack vectors on your ssh server.

    1) Disable password authentication and only use public key auth (eliminates brute force password attacks)
    2) Disable TCPKeepAlive and use ClientAliveInterval instead to prevent TCP Spoofing attacks
    3) Use the AllowUsers option
    4) Set MaxAUthTries to something like 2, this could frustrate attacks (although they are probably using scripts, so they probably won't care or notice).

    I know that wasn't really your question, but I though I would throw it out there and see if it helped. Hope it did

    No, that's great to know. I am using password authentication and haven't even given a thought to public keys as it is just me (hopefully ) using the SSH server. I suppose there's another thread for that.

    I have also been looking at this guide
    https://help.ubuntu.com/community/AdvancedOpenSSH

    Thanks!

  7. #7
    Join Date
    Jun 2008
    Beans
    202

    Re: Monitor OpenSSH server with Snort?

    In my option, if you want to know who ssh into your box, you can just do it via watching ssh logs.

    Maybe install syslog-ng to forward the ssh connectivity info to some log box remotely.

    Quote Originally Posted by whoop View Post
    Code:
    alert tcp $EXTERNAL_NET any -> $HOME_NET 22002 (msg:"SSH incoming"; flow:stateless; flags:S+; sid:100006927; rev:1;)
    .

  8. #8
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,716
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: Monitor OpenSSH server with Snort?

    You could also implement the iptables to limit traffic on port 22 (or whatever port) to like 5 tries per hour -- limit command. Of course this entails the extra step of setting up the firewall (but shouldn't take too long).

  9. #9
    Join Date
    Apr 2008
    Location
    Virginia
    Beans
    31
    Distro
    Ubuntu 9.04 Jaunty Jackalope

    Re: Monitor OpenSSH server with Snort?

    I'll run through these ideas. Thanks a lot for the input.

  10. #10
    Join Date
    Apr 2008
    Location
    Virginia
    Beans
    31
    Distro
    Ubuntu 9.04 Jaunty Jackalope

    Re: Monitor OpenSSH server with Snort?

    Quote Originally Posted by kevdog View Post
    You could also implement the iptables to limit traffic on port 22 (or whatever port) to like 5 tries per hour -- limit command. Of course this entails the extra step of setting up the firewall (but shouldn't take too long).
    I think that setting up iptables is a bit much for my needs right now. I'm looking for something to monitor SSH authentication for numerous failed attempts. From what I understand, Snort can log this but is there a way to be alerted without sifting through the logs manually?

    I think I'm asking a lot, but an ideal solution would be an IDS logging failed authentications working in conjunction with a log monitor to alert me of any failed authentications.

    Mabye BASE (Basic Analysis and Security Engine)could be set up to send alerts? I haven't installed it but from what I understand, it provides a front-end for reading Snort logs.

    Thanks.

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •