Hello all,
I am noticing that Suricata is blocking alot of SSH traffic that is not coming from any valid IPs. If ppl want to use SSH they have to be on my VPN. Here is a snippet of what I am seeing in the alert log:
2001219 blocked Prod 134.199.195.142 54062 10.0.2.21 22 ET SCAN Potential SSH Scan
Could I just add an inbound rule that drops any traffic destined to the IP using port 22? I would prefer to drop the traffic at the front door rather than letting it get to my IDS for processing.
Thanks,
Steve
Are you exposing ports on WAN?
If not: why run Suricata on that interface in the first place? To watch and see that the internet is a bad, bad place? :-D
Or at least disabel SSH rules, if no ssh port open...
Yes there are a number of web servers in this instance. Yes the Internet is a bad place...but I'd rather drop the traffic and not worry about it. I use Maxmind to provide country IP blocks inbound, and so the only thing left is to see what traffic is coming my way from approved countries and filter out the potentially bad traffic. I do not allow normal SSH over the Internet...we use our VPN for that kind of work.
Skip ssh rules in your config for Suricata. Done.