Don't leave port 22 open!
at the very least if you are change the default port...better still disable root login, and permit only key based connections. Otherwise you leave yourself vulnerable to these kinds of attacks
The IPS does have some brute force type rules but the threshholds are quite high, so it may have gone un-noticed. Make sure the telnet rules are enabled and have a loot at /etc/snort/telnet.rules
| Code: |
telnet.rules:alert tcp any any -> any 22 ( msg:"SSH potential brute force attack"; flow:to_server; flags:S; threshold:type threshold, track by_src, count 6, seconds 30; classtype:suspicious-login; sid:3000001; rev:5; fwsam:src, 1 day; )
|
