cscli scenarios install crowdsecurity/ssh-bf
Detect failed ssh authentications :
1# ssh bruteforce2type: leaky3name: crowdsecurity/ssh-bf4description: "Detect ssh bruteforce"5filter: "evt.Meta.log_type == 'ssh_failed-auth'"6leakspeed: "10s"7references:8 - http://wikipedia.com/ssh-bf-is-bad9capacity: 510groupby: evt.Meta.source_ip11blackhole: 1m12reprocess: true13labels:14 service: ssh15 confidence: 316 spoofable: 017 classification:18 - attack.T111019 label: "SSH Bruteforce"20 behavior: "ssh:bruteforce"21 remediation: true22---23# ssh user-enum24type: leaky25name: crowdsecurity/ssh-bf_user-enum26description: "Detect ssh user enum bruteforce"27filter: evt.Meta.log_type == 'ssh_failed-auth'28groupby: evt.Meta.source_ip29distinct: evt.Meta.target_user30leakspeed: 10s31capacity: 532blackhole: 1m33labels:34 service: ssh35 remediation: true36 confidence: 337 spoofable: 038 classification:39 - attack.T158940 behavior: "ssh:bruteforce"41 label: "SSH User Enumeration"42