configserver-lfd-bf Scenario

« configserver-lfd-bf »
v0.1 by crowdsecurity
Attack scenarioremediation:trueservice:sshspoofable:0MITRE:T1110confidence:3

Detects SSH bruteforce attempts blocked by ConfigServer.

Installation

cscli scenarios install crowdsecurity/configserver-lfd-bf

Description

Detects SSH bruteforce attempts blocked by Config Server (aka CSF).

Logs usually in the following file: /var/log/lfd.log

YAML Configuration

1type: trigger
2name: crowdsecurity/configserver-lfd-bf
3description: "Detects SSH bruteforce attempts blocked by ConfigServer."
4filter: "evt.Parsed.program == 'lfd'"
5groupby: evt.Meta.source_ip
6blackhole: 5m
7labels:
8  service: ssh
9  confidence: 3
10  spoofable: 0
11  classification:
12    - attack.T1110
13  label: "SSH Bruteforce"
14  behavior: "ssh:bruteforce"
15  remediation: true
16
17

Hub configuration

« configserver-lfd-bf »v0.1 by crowdsecurityAttack scenarioremediation:trueservice:sshspoofable:0MITRE:T1110confidence:3

« configserver-lfd-bf »
v0.1 by crowdsecurity
Attack scenarioremediation:trueservice:sshspoofable:0MITRE:T1110confidence:3