ssh-refused-conn Scenario

« ssh-refused-conn »
v0.1 by crowdsecurity
Attack scenarioremediation:trueservice:sshspoofable:0MITRE:T1595confidence:0

Detect sshd refused connections

Installation

cscli scenarios install crowdsecurity/ssh-refused-conn

Description

Detect refused connections to SSHD based on hosts deny and allow rules.

Typically these are defined in different locations based on the distribution.

For Debian/Ubuntu: /etc/hosts.deny and /etc/hosts.allow

YAML Configuration

1type: trigger
2name: crowdsecurity/ssh-refused-conn
3description: "Detect sshd refused connections"
4filter: "evt.Meta.log_type == 'ssh_refused_conn'"
5groupby: evt.Meta.source_ip
6blackhole: 1m
7reprocess: false
8labels:
9  service: ssh
10  confidence: 0
11  spoofable: 0
12  classification:
13    - attack.T1595
14  label: "SSH Refused Connection"
15  behavior: "generic:scan"
16  remediation: true
17

Hub configuration

« ssh-refused-conn »v0.1 by crowdsecurityAttack scenarioremediation:trueservice:sshspoofable:0MITRE:T1595confidence:0

« ssh-refused-conn »
v0.1 by crowdsecurity
Attack scenarioremediation:trueservice:sshspoofable:0MITRE:T1595confidence:0