Changing to a non-standard port is a start. You should also look at why SSH is available globally? Locking it down seems like an obvious solution to me.
Lastly, I know there are some IPS systems which have mitigation options built-in. It's not much more than a script that logs into your gear and adds a /32 null route for the offending host at your edge. I've never been a fan of this from an automatic perspective but /32 null routes for habitual offenders have always been successful for me anyway. HTH --Corey On Apr 5, 2012, at 5:09 PM, Harri Makela <harri_mak...@yahoo.com> wrote: > Hi Guys > > We are getting "SSH_Brute_Force" alerts quite often from our Intrusion > prevention systems (IPS) - ISS GX. > > Issue Description: We have detected SSH_Brute_Force events sourcing from > external IP x.x.x.x targeting multiple internal IPs. This is probably an > attempt to gain access to SSH enabled servers. > > What could be best practices to handle these alerts ? i.e. > > change SSH port system wide from 22 to 10022 ? > Report the ISP to contact with the customer which is really not a practical > solution ? > > Any advice will be highly appreciated. I myself new to this and trying to > document the process. > > Thanks in advance > HM > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp