How to avoid successful SSH Brute Force Attack

Question

How to avoid successful SSH Brute Force Attack

Simon Cifre 0

Daily I receive alerts for "Successful SSH Brute Force Attack".

I have the active SSH service but in a another port than the default TCP/22.

I have Azure Firewall that protects my server at the network level.

The origin of SSH Brute Force attacks is an IP within the range assigned by Azure Firewall.

Attack events originate when users use the SSH service normally, but detects it as an attack.

Warning example:

Successful Ssh Brute Force Attack

Analysis of Host data has detected Successful Brute Force Attack. The IP 10.0.2.8 was Making Multiple Login Attempts. This means that the host may be committed and controlled by a malicious actor.

I request any recommendation to detect the origin of the problem and avoid the SSH attack.

KarishmaTiwari-MSFT 20,772 Reputation points Microsoft Employee Moderator

2023-03-09T19:20:44.55+00:00

@Simon Cifre , Checking in to see if you still need help on this.
If you still have questions, please let us know in the "comments" and we would be happy to help you.

If any of the replies below has been helpful, we appreciate hearing from you and would love to help others who may have the same question. Accepting answers helps increase visibility of this question for other members of the Microsoft Q&A community.

Thank you for helping to improve Microsoft Q&A!
KarishmaTiwari-MSFT 20,772 Reputation points Microsoft Employee Moderator

2023-03-11T03:45:12.2433333+00:00

@Simon Cifre , Checking in to see if you still need help on this.
If you still have questions, please let us know in the "comments" and we would be happy to help you.

If any of the replies below has been helpful, we appreciate hearing from you and would love to help others who may have the same question. Accepting answers helps increase visibility of this question for other members of the Microsoft Q&A community.

Thank you for helping to improve Microsoft Q&A!

1 answer

Your answer

KarishmaTiwari-MSFT 20,772 Reputation points Microsoft Employee Moderator

2023-03-09T19:20:44.55+00:00

@Simon Cifre , Checking in to see if you still need help on this.
If you still have questions, please let us know in the "comments" and we would be happy to help you.

If any of the replies below has been helpful, we appreciate hearing from you and would love to help others who may have the same question. Accepting answers helps increase visibility of this question for other members of the Microsoft Q&A community.

Thank you for helping to improve Microsoft Q&A!
KarishmaTiwari-MSFT 20,772 Reputation points Microsoft Employee Moderator

2023-03-11T03:45:12.2433333+00:00

@Simon Cifre , Checking in to see if you still need help on this.
If you still have questions, please let us know in the "comments" and we would be happy to help you.

If any of the replies below has been helpful, we appreciate hearing from you and would love to help others who may have the same question. Accepting answers helps increase visibility of this question for other members of the Microsoft Q&A community.

Thank you for helping to improve Microsoft Q&A!

Answer 1

Hi Simon Cifre , Thanks for posting your query on Microsoft Q&A.
Apologies for the delay as I was trying to figure the best course of action for your case.
Here are my recommendations:

One way to reduce exposure to an attack is to limit the amount of time that a port on your virtual machine is open. Ports only need to be open for a limited amount of time for you to perform management or maintenance tasks. Just-In-Time VM Access helps you control the time that the ports on your virtual machines are open. It leverages network security group (NSG) rules to enforce a secure configuration and access pattern.
Reference documents:

Secondly, here is a good article on Automation to Block Brute-force Attacked IP detected by Microsoft Defender for Cloud : https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/automation-to-block-brute-force-attacked-ip-detected-by/ba-p/1616825

Thirdly, please go through the Best practices for defending Azure Virtual Machines, shared by Microsoft Security Team: https://www.microsoft.com/en-us/security/blog/2020/10/07/best-practices-for-defending-azure-virtual-machines/

If there are further questions or you have already tried the suggestions shared above, please let me know in the "comments" and I can investigate further on this, over email with you.
Comments is the best way to share your questions/concerns as I will be notified immediately that way and can respond to you faster.

If this helped, 'Accept answer' so that it can help others in the community facing the same issue.

Share via

How to avoid successful SSH Brute Force Attack

1 answer

Your answer