Alot of SSH Traffic

spetrillo · December 02, 2025, 08:08:16 PM

Hello all,

I am noticing that Suricata is blocking alot of SSH traffic that is not coming from any valid IPs. If ppl want to use SSH they have to be on my VPN. Here is a snippet of what I am seeing in the alert log:

2001219 blocked Prod 134.199.195.142 54062 10.0.2.21 22 ET SCAN Potential SSH Scan

Could I just add an inbound rule that drops any traffic destined to the IP using port 22? I would prefer to drop the traffic at the front door rather than letting it get to my IDS for processing.

Thanks,
Steve

chemlud · December 02, 2025, 08:21:17 PM

Are you exposing ports on WAN?

If not: why run Suricata on that interface in the first place? To watch and see that the internet is a bad, bad place? :-D

Or at least disabel SSH rules, if no ssh port open...

spetrillo · December 02, 2025, 08:33:26 PM

Yes there are a number of web servers in this instance. Yes the Internet is a bad place...but I'd rather drop the traffic and not worry about it. I use Maxmind to provide country IP blocks inbound, and so the only thing left is to see what traffic is coming my way from approved countries and filter out the potentially bad traffic. I do not allow normal SSH over the Internet...we use our VPN for that kind of work.

chemlud · December 02, 2025, 08:49:35 PM

Skip ssh rules in your config for Suricata. Done.

Alot of SSH Traffic

spetrillo

December 02, 2025, 08:08:16 PM

chemlud

December 02, 2025, 08:21:17 PM #1 Last Edit: December 02, 2025, 08:23:30 PM by chemlud

spetrillo

December 02, 2025, 08:33:26 PM #2

chemlud

December 02, 2025, 08:49:35 PM #3