How to block SSH scans with IPS

So basically you want to see some kind of brute force attempts on your SSH Server behind XG? Or do we talk about the XG SSH Server? 

LuCar Toni said:

So basically you want to see some kind of brute force attempts on your SSH Server behind XG? Or do we talk about the XG SSH Server? 

 

The first: I have a port forward to one of my SSH servers and want to protect it from SSH brute force/hack (breaking the algorithm) attempts.

Mh. First of all, would suggest to Update to V17.5 beta.

The new Talos Engine in 17.5 can help to prevent those attacks.

Second: You can build IPS pattern by yourself.

http://docs.sophos.com/nsg/sophos-firewall/v16056/Help/en-us/webhelp/onlinehelp/index.html#page/onlinehelp/IpsCustomSignatureManage.html

Here is an example:

https://stackoverflow.com/questions/47742405/using-snort-suricata-i-want-to-generate-an-ssh-alert-for-every-failed-login-to

Should work with XG. Feel free to post your output. 

Thanks, I rather skip beta products as much as possible since I dont want unwanted crashes or false positives :)
The suggested SSH brute force rule on slashdot does not have the same format as the Sophos XG firewall wants, it gives an error (see screenshots attached/posted in this post):

The rule:

The error message:

Would be great if we can also use Emerging Threats Open signatures btw :)

PS, is this the correct URL for the 17.5 beta for an APU2C4 (serial installation) firmware update? ->

Testing the 17.5.0-beta now...

Hi, 

your ips rule is not correct. You cannot copy paste the rule. 

This topic is unfortunately more complex. 

https://www.youtube.com/watch?v=RUmYojxy3Xw

you could also suggest a KBA for "how to do it". 

https://community.sophos.com/products/community-chat/f/knowledge-base-article-suggestions

I am currently not quite sure, if you can use those values like in the snort example. 

Ok, the 17.5 beta version had a SSH brute force protection rule but now 2 hours later the rule has disappeared (perhahs after the pattern update?).

The Snort rules you're referring to are not usefull for Sophos XG so the next help is to propose a KB article dedicated how to create a custom rule?

The Point is: XG gives you the possibility to write your own IPS Rules. So it depends now: Are you an business customer, try to build them at your own or get in touch with your sophos partner to get help to build the correct rule. 

Or you are a home user, so feel free to build it on your own needs.

This anti guessing feature is not implemented but can be covered by the IPS. This is my point. 

The Point is: XG gives you the possibility to write your own IPS Rules. So it depends now: Are you an business customer, try to build them at your own or get in touch with your sophos partner to get help to build the correct rule. 

Or you are a home user, so feel free to build it on your own needs.

This anti guessing feature is not implemented but can be covered by the IPS. This is my point.