What are reasons for brute force signature 40015 SSH Login Attempt in threat logs.
31863
Created On 12/18/21 20:50 PM - Last Modified 01/15/22 18:40 PM
Question
Why am I noticing Threat ID 40015? SSH User Authentication Brute Force Attempt.
Answer
Possible reasons you are noticing Threat ID 40015 (SSH User Authentication Brute Force Attempt) denying/alerting on traffic. https://threatvault.paloaltonetworks.com/?query=40015
This signature triggers when threat id 31914 (SSH Login Attempt) triggers 20x within 60 seconds.
Unless the defaults have been changed. Threat id 31914 (the child signature) https://threatvault.paloaltonetworks.com/?query=31914 identifies an SSH version banner that is returned when a SSH login attempt occurs.
This can happen if an application is constantly being denied and re-attempts to login or login prompts happen 20x in 60 seconds. Recommendation is to gather packet captures and understand the nature of the traffic.
Is this a mis-configuration? Or normal traffic? Or an attempt to Brute force an SSH server.
The only way to understand is by reviewing pcaps and understanding the context of the traffic with the system owners. Sometimes this can be normal and adjustments need to be made to the thresholds.
Other instances, it's a mis-configuration and adjustment needs to be made to the application. Or an actual attempt to exploit an SSH/2 server with multiple login attempts such as a password dictionary attack. It could also be normal traffic that coincidentally has the SSH banner string characters returned causing a trigger which is not related to the signatures true intention a "true positive" (unlikely but possible).
Also see:
Brute Force Signature and Related Trigger Conditions
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmpCACChange the Brute Force Trigger Criteria:
knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmsCACAdditional Information
Brute Force Signature and Related Trigger Conditions
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmpCAC
Threat Vault Query for Threat ID 40015 https://threatvault.paloaltonetworks.com/?query=40015
Threat Vault Query for Threat ID 31914 https://threatvault.paloaltonetworks.com/?query=31914
If you wish to increase the threshold for the number of attempts before the firewalls blocks the requests, you can follow the instructions from the link below. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmsCAC