Powered by Zoomin Software. For more details please contactZoomin

Flowmon ADS

Table of Contents

SSHDICT - SSH Attack

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: April 5, 2026
  • 2 minute read
    • Flowmon Products
    • Flowmon Anomaly Detection System
    • Documentation

Method description

This method is used for the detection of attempts to guess a user name, password, or a login by a forged certificate for SSH service (TCP/22). The method builds a persistent tree of attackers and victims and if the limit value is exceeded (20 attempts from a single IP address or value of the AttackAttempts option) for an attacker/victim pair, an event is reported. The method is also capable of detecting a successful attack based on an abrupt change in statistical properties of the traffic and the end of the attack. With this method, it is possible to promptly detect the ongoing attack and block the attacker before he can reveal the password. If there is a greater delay between the attacker’s activities (more than 30 minutes or the value of the AttackHole option), the attack from a single IP address can be interpreted as several different attacks.

This method consists of the following sub-method:

  • General: Reports the password-guessing attacks (dictionary or brute-force based) on an SSH server.

Method configuration

It is recommended to apply this method for all IP addresses and monitor not only attacks against your servers but also the attacks from your network to the Internet. The right place for traffic monitoring is the central switch and the Internet connection line.

Method parameters

  • AttackAttempts: Minimum number of attempts to log in from one attacker on the SSH service.

  • AttackHole: If there are no login attempts during the time specified by this parameter, the attack is marked as finished.

  • MinTargets: Minimal number of targets of the attack to generate the event.

  • ObscurePorts: Comma-separated list of port numbers other than 22, on which the SSH service is provided in the monitored network.

  • MaxPackets: Maximum number of packets per login attempt that are taken into account during the detection. The zero value means that the parameter will not apply. The omission of the flows with a higher number of packets lowers the false positive rate, but it makes the success determination more inaccurate.

  • ExcludeUnsuccessful: Unsuccessful attacks are not reported.

  • PartOfAttack: If the respective address is already a target of some of the detected attacks, an attack from a different attacker is detected after a smaller number of attempts to log in than stated by this ratio.

  • SuccAttack: Minimum number of unsuccessful attempts that happen before the successful attempt that will be considered an attack.

  • TimeWindow: Attempt statistics are saved for the respective time (unless an attack is detected).

Assigned filter

The filter is used for the restriction of source or destination IP addresses.

Interpretation of results

The results of this method are relatively straightforward, the method detects an attack on the SSH service. The method may produce false positives when evaluating the activities of some surveillance systems that use the SSH protocol.

TitleResults for “How to create a CRG?”Also Available inAlert