Our IPS is picking up a brute force attempt from a server in our environement. Server admins are in denial that pw is failing, but acknowledge there is a lot of logins. I took a capture of the ssh traffic from the server. I see a few ssh sessions taking place, then eventually the IPS blocks the attempts and I get 3 initial SYN packets outbound when the IPS blocks the ip address of server.
What would I look for in the capture of the inital connections that appear to connect and close to show me there is a password failure?
I see the 3 way handshake, the key exchanges the diffie hellman exchange several encrypted packets and the FIN/ACK sequences. What in this capture would the IPS trigger on to know there is failed attempt. Is there some telltale info in a header?
So far I am not getting good info from IPS team on what the signature is triggering upon, but I have to assume for now its seening an actual brute force attempt. Perhaps its the number of new sessions and not actual failures. If there is no known way to detect a pw fail in an capture, the excessive creation and tear down may be the cause.
Once this ips block occurs, the ips blocks all traffic to / from server and its offline for legitimate uses.
I googled a bit for wireshark ssh password failures but get a lot of stuff not fitting the scnenario. Figured someone here could help point me in right direction to look.
