Hi Kevin,
Thanks for your input, I have taken your ideas on board. In case
anyone is interested here is an OSSEC configuration that works well
for me;
decoder.xml:
<decoder name="ssh-scan2">
<parent>sshd</parent>
<prematch>^Did not receive identification|^Bad protocol version</
prematch>
<regex offset="after_prematch"> from (\d+.\d+.\d+.\d+)$</regex>
<order>srcip</order>
</decoder>
sshd_rules:
<rule id="5706" level="4">
<if_sid>5700</if_sid>
<match>Did not receive identification string from</match>
<description>SSH insecure connection attempt (scan).</description>
</rule>
<rule id="100160" level="10" frequency="4" timeframe="360">
<if_matched_sid>5706</if_matched_sid>
<description>Possible scan or breakin attempt </description>
<description>(high number of identification failures).</
description>
</rule>
You may or may not need to change some things such as the rule
id="100160". Also note that the decoder rule (and sshd rule 5706)
probably already exists for you but I changed it a bit. This works
fine for me by banning hosts who give me four identification failures
in 360 seconds.
Chris
