Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
SSH is a common target for attackers because it is often enabled by default and provides remote control access to other devices. It is relatively easy for an attacker to guess weak passwords and then attempt SSH connections. The impact to a business can be low if the connection attempt fails or if the attacker connects to a device with limited privileges. However, these activities should be examined before they facilitate critical and costly attacks.
The system might change the risk score for this detection.
Kill Chain
Risk Score
60
SSH is a feature that enables remote management of a device. An attacker can establish an interactive command-and-control (C&C) SSH tunnel to remotely run malicious code on the target device and hide other protocol activity. Before the attacker can gain access to a target device, they must first acquire SSH credentials to establish an SSH connection. When the SSH connection is established, this type of tunnel enables the attacker to maintain encrypted communication with the target device and take the next steps towards their ultimate attack objectives.
Disable SSH unless required
Only allow incoming SSH connections from trusted devices, such as administrator workstations
Enforce policies for strong password creation and limited login attempts
Implement network segmentation and the principle of least privilege to minimize the damage caused by a compromised device
Rely on public key authentication, which is more resilient to brute force attacks than password authentication, by disabling PasswordAuthentication in sshd_config
