Top Offending SSH Failure by Source IP

This displays a list of failed attempts against each connecting IP. Can be used to detect brute force from a particular source IP. You can then put a block up via ACL or whatever method you chose to mitigate the issue. The NOT clause on the first line ignore all attempts to logon to “invalid accounts”.

Admin Notes: You’ll likely need to specify a different index and/or sourcetype.

Share This:

Leave A Comment?