The following IDP rule will block SSH brute force attacks. It will be triggered by more than 3 consecutive SSH connections in a row. After the rule has been triggered, the source IP will be banned for a period of 1 hour and the connection to both the client and server will be closed.
Custom Attack
This is the actual attack definition. This should be loaded in the security idp configuration tree:
custom-attack SSH:BRUTE-FORCE {
recommended-action close;
severity major;
time-binding {
count 3;
scope source;
}
attack-type {
signature {
context first-data-packet;
pattern .*;
direction any;
protocol {
tcp {
destination-port {
match equal;
value 22;
}
}
}
}
}
}IDP Policy Rule
To use the above custom attack it will need to be added to your IDP policy. As an example, the IDP policy I use is called Default.Policy, you can load the below configuration into the security idp idp-policy Default.Policy rulebase-ips configuration tree.
rule SSH-Brute:Block {
description "Block SSH brute force attacks";
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
custom-attacks SSH:BRUTE-FORCE;
}
}
then {
action {
recommended;
}
ip-action {
ip-block;
target source-address;
log;
timeout 3600;
}
notification {
log-attacks {
alert;
}
}
}
}