Defending against SSH attacks


Anyone who administers a publicly accessible SSH server will know that it almost immediately will start getting attacked by brute force logon attempts.

We will set up triggers to automatically block IP addresses that are trying to brute force this logon.

To do this, we will first set up an authentication alert, which will then be chained to a Block IP trigger.


Step 1: Create an Authentication alert

We will first set up an authentication alert as this trigger's threshold settings will be very useful here.

Navigate to Triggers and click the Create button.

Give the trigger a name, such as Authentication alert. In the Event, start typing Authentication and select it from the list that appears. Set Triggers On to Failure. For Triggers Task, enter Generate Alert.


Click on the Threshold tab. We need to pick a reasonable threshold and timeout here. SSH attacks tend to come in quite quickly, so let's set the Alert Threshold slider to 10 and the Threshold Timeout to 1 minute. We'll set the Reset Delay here to 120 seconds, which can limit the number of alerts that may be generated at any time. 


Click the Key tab. Here we choose which keys all need to match to increase the alert threshold count. We'll be looking for attempts with the same username from the same IP against the same authentication scheme. So, select principalName, scheme and ipAddress.


Click the Warning tab. We can type in the text that will appear in the alert. The attributes we used for the key can be useful here to give the administrator useful information, which can be selected with the ${} button.

We shall set the Warning Text to: Too many authentications from IP ${attr.ipAddress} for user ${attr.principalName} on scheme ${attr.scheme}

Click Create to finish creating the Trigger.


Step 2: Creating a Block IP trigger

Select the newly created Authentication alert resource, a visual representation of the trigger flow will appear below it.

Click the plus icon in the red Authentication alert box to chain a new trigger from this one.


Give the trigger a name (Block IP address). The Event will already be filled out because we have chained this trigger.

An authentication alert always results in a Warning, so set the Triggers On to Warning. For Triggers Task, set it to Block IP Address.



Click the Block tab and select the ${attr:ipAddress} attribute for IP Address. Set the Length to 0 to permanently block the offending IP.

Click Create to finish creating the resource.



Click the Authentication alert trigger again, the trigger flow will update as above.


Step 3: Testing

Using SSH, attempt to log in as a user with an incorrect password 10 times in succession. Then navigate to Audit Log in the browser UI.

You will see the Failed authentication attempts, followed by the Alert Warning, followed by a Success Block IP.


You can also navigate to System->Configuration->IP restrictions where you should see the IP address that has been blocked.


Have more questions? Submit a request