How to block SSH scans with IPS

So basically you want to see some kind of brute force attempts on your SSH Server behind XG? Or do we talk about the XG SSH Server? 

LuCar Toni said:

So basically you want to see some kind of brute force attempts on your SSH Server behind XG? Or do we talk about the XG SSH Server? 

 

The first: I have a port forward to one of my SSH servers and want to protect it from SSH brute force/hack (breaking the algorithm) attempts.

Mh. First of all, would suggest to Update to V17.5 beta.

The new Talos Engine in 17.5 can help to prevent those attacks.

Second: You can build IPS pattern by yourself.

http://docs.sophos.com/nsg/sophos-firewall/v16056/Help/en-us/webhelp/onlinehelp/index.html#page/onlinehelp/IpsCustomSignatureManage.html

Here is an example:

https://stackoverflow.com/questions/47742405/using-snort-suricata-i-want-to-generate-an-ssh-alert-for-every-failed-login-to

Should work with XG. Feel free to post your output. 

Thanks, I rather skip beta products as much as possible since I dont want unwanted crashes or false positives :)
The suggested SSH brute force rule on slashdot does not have the same format as the Sophos XG firewall wants, it gives an error (see screenshots attached/posted in this post):

The rule:

The error message:

Would be great if we can also use Emerging Threats Open signatures btw :)

PS, is this the correct URL for the 17.5 beta for an APU2C4 (serial installation) firmware update? ->

Testing the 17.5.0-beta now...

Hi, 

your ips rule is not correct. You cannot copy paste the rule. 

This topic is unfortunately more complex. 

https://www.youtube.com/watch?v=RUmYojxy3Xw

you could also suggest a KBA for "how to do it". 

https://community.sophos.com/products/community-chat/f/knowledge-base-article-suggestions

I am currently not quite sure, if you can use those values like in the snort example. 

Hi, 

your ips rule is not correct. You cannot copy paste the rule. 

This topic is unfortunately more complex. 

https://www.youtube.com/watch?v=RUmYojxy3Xw

you could also suggest a KBA for "how to do it". 

https://community.sophos.com/products/community-chat/f/knowledge-base-article-suggestions

I am currently not quite sure, if you can use those values like in the snort example. 

Ok, the 17.5 beta version had a SSH brute force protection rule but now 2 hours later the rule has disappeared (perhahs after the pattern update?).

The Snort rules you're referring to are not usefull for Sophos XG so the next help is to propose a KB article dedicated how to create a custom rule?

The Point is: XG gives you the possibility to write your own IPS Rules. So it depends now: Are you an business customer, try to build them at your own or get in touch with your sophos partner to get help to build the correct rule. 

Or you are a home user, so feel free to build it on your own needs.

This anti guessing feature is not implemented but can be covered by the IPS. This is my point. 

So did some kind of testing at my own.

Here is the complete documentation of all possible IPS values.

http://docs.sophos.com/nsg/sophos-firewall/17.5/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/IPSCustomPatternSyntax.html

The Point is, there is no counting feature in XG right now. What this means, is that the IPS pattern, like suggested by the external article, does not work. 

https://stackoverflow.com/questions/47742405/using-snort-suricata-i-want-to-generate-an-ssh-alert-for-every-failed-login-to

This user assumed to have the possibility to count the packets. But to be honest, like he mentioned, this is only a alert feature. Because you cannot take a look in the authentication (encrypted). You can only track the Hits by the "attacker" and simply "deny those after X guesses". This would also be possible on the SSH server, i guess.

Next point is, i would not leave port 22 open to the internet. I am a fan of using VPN connections to connect to SSH. 

Second point is, would rather use an alternative "unknown" port for SSH. By changing the port on DNAT to 2244 or something like that, you reduce the "attacks" by quite a bit. 

I would at best have something similar to the Emerging Threats open rules that have helped me very well in the past with Pfsense/OPNsense:

https://doc.emergingthreats.net/bin/view/Main/2019876 

https://docs.emergingthreats.net/bin/view/Main/2001219

I can always opt to disable it but now I got nothing except something on the hosts theirselves but that surpasses the idea of an IPS at gateway level.