How to block SSH scans with IPS

So basically you want to see some kind of brute force attempts on your SSH Server behind XG? Or do we talk about the XG SSH Server? 

LuCar Toni said:

So basically you want to see some kind of brute force attempts on your SSH Server behind XG? Or do we talk about the XG SSH Server? 

 

The first: I have a port forward to one of my SSH servers and want to protect it from SSH brute force/hack (breaking the algorithm) attempts.

Mh. First of all, would suggest to Update to V17.5 beta.

The new Talos Engine in 17.5 can help to prevent those attacks.

Second: You can build IPS pattern by yourself.

http://docs.sophos.com/nsg/sophos-firewall/v16056/Help/en-us/webhelp/onlinehelp/index.html#page/onlinehelp/IpsCustomSignatureManage.html

Here is an example:

https://stackoverflow.com/questions/47742405/using-snort-suricata-i-want-to-generate-an-ssh-alert-for-every-failed-login-to

Should work with XG. Feel free to post your output. 

Thanks, I rather skip beta products as much as possible since I dont want unwanted crashes or false positives :)
The suggested SSH brute force rule on slashdot does not have the same format as the Sophos XG firewall wants, it gives an error (see screenshots attached/posted in this post):

The rule:

The error message:

Would be great if we can also use Emerging Threats Open signatures btw :)

Thanks, I rather skip beta products as much as possible since I dont want unwanted crashes or false positives :)
The suggested SSH brute force rule on slashdot does not have the same format as the Sophos XG firewall wants, it gives an error (see screenshots attached/posted in this post):

The rule:

The error message:

Would be great if we can also use Emerging Threats Open signatures btw :)