Brute Force: SSH

This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.

Finding description

Detection of successful brute force of SSH on a host. To respond to this finding, do the following:

Step 1: Review finding details

  1. Open a Brute Force: SSH finding, as directed in Reviewing findings.

  2. On the Summary tab of the finding details panel, review the information in the following sections:

    • What was detected, especially the following fields:

      • Caller IP: the IP address that launched the attack.
      • User name: the account that logged in.

    • Affected resource

    • Related links, especially the following fields:

      • Cloud Logging URI: link to Logging entries.
      • MITRE ATT&CK method: link to the MITRE ATT&CK documentation.
      • Related findings: links to any related findings.

  3. Click the JSON tab.

  4. In the JSON, note the following fields.

    • sourceProperties:
      • evidence:
        • sourceLogId: the project ID and timestamp to identify the log entry
        • projectId: the project that contains the finding
      • properties:
        • attempts:
        • Attempts: the number of login attempts
          • username: the account that logged in
          • vmName: the name of the virtual machine
          • authResult: the SSH authentication result

Step 2: Review permissions and settings

  1. In the Google Cloud console, go to the Dashboard.

    Go to the Dashboard

  2. Select the project that is specified in projectId.

  3. Navigate to the Resources card and click Compute Engine.

  4. Click the VM instance that matches the name and zone in vmName. Review instance details, including network and access settings.

  5. In the navigation pane, click VPC Network, then click Firewall. Remove or disable overly permissive firewall rules on port 22.

Step 3: Check logs

  1. In the Google Cloud console, go to Logs Explorer by clicking the link in Cloud Logging URI.
  2. On the page that loads, find VPC Flow Logs related to the IP address that is listed on the Principal email row in the Summary tab of the finding details by using the following filter:
    • logName="projects/projectId/logs/syslog"
    • labels."compute.googleapis.com/resource_name"="vmName"

Step 4: Research attack and response methods

  1. Review the MITRE ATT&CK framework entry for this finding type: Valid Accounts: Local Accounts.
  2. Review related findings by clicking the link on the Related findings on the Related findings row in the Summary tab of the finding details. Related findings are the same finding type and the same instance and network.
  3. To develop a response plan, combine your investigation results with MITRE research.

Step 5: Implement your response

The following response plan might be appropriate for this finding, but might also impact operations. Carefully evaluate the information you gather in your investigation to determine the best way to resolve findings.

  • Contact the owner of the project with the successful brute force attempt.
  • Investigate the potentially compromised instance and remove any discovered malware. To assist with detection and removal, use an endpoint detection and response solution.
  • Consider disabling SSH access to the VM. For information about disabling SSH keys, see Restrict SSH keys from VMs. This step could interrupt authorized access to the VM, so consider the needs of your organization before you proceed.
  • Only use SSH authentication with authorized keys.
  • Block the malicious IP addresses by updating firewall rules or by using Google Cloud Armor. You can enable Cloud Armor on the Security Command Center Integrated Services page. Depending on the quantity of information, Cloud Armor costs can be significant. See the Cloud Armor pricing guide for more information.

What's next