Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [FW-1] Detect SSH Bruteforce?

from cisco4ng [Permanent Link]
Subject: Re: [FW-1] Detect SSH Bruteforce?
From: cisco4ng <cisco4ng AT YAHOO DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Fri, 13 Apr 2007 04:15:52 -0700 
Hi,

I don't know how to do it with checkpoint specifically.  However, I use a 
freeware
called Simple Event Correlation (SEC) and it takes the checkpoint log that I get
through a LEA server.  From there, with the data in place, I write SEC rule
to do just what you want to accomplish.  SEC is a very powerful tool and it is
free.  Not only it can take log from Checkpoint, it can also takes logs from the
SSH server, NetFlow data and other things and based on the rules you specified,
it can tell you if your system has been compromised and what you want to do
with that information.

Good luck

Markus Schmidt <Markus.Schmidt AT INTERFACE-SYSTEMS DOT DE> wrote: Hi there.

Is there a chance to detect SSH brutforce to Servers in the DMZ by
Checkpoint?
For example blocking a specific IP after 3 SSH connections in 1 Minute?

I thoght about using SmartDefense "Successive Events", but there I can't
specify a Server..

I have NGX R61, is there something that can help me? Is there something
in the newer Versions?

I'd like to avoid implementing such a Blocker on the DMZ Servers, wich
of course is possible.

Thx for help!

regards Markus
-- 
http://schmidt.bs-server.com

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================


       
---------------------------------
Ahhh...imagining that irresistible "new car" smell?
 Check outnew cars at Yahoo! Autos.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [FW-1] NetForensics and Checkpoint syslog, Torkel Mathisen
Next by Date:  Re: [FW-1] VPN between R55 and Cisco PIX, cisco4ng
Previous by Thread:  [FW-1] Detect SSH Bruteforce?, Markus Schmidt
Next by Thread:  [FW-1] NetForensics and Checkpoint syslog, Torkel Mathisen
Indexes:  [Date] [Thread] [Top] [All Lists]