Field Effect continually monitors your threat surface and this ARO is alerting you to a string of attacks from a single known malicious IP to a single host in your network using SSH. Its aim is to highlight the current threat and ensure that you have strong authentication methods in place, such as the use of SSH-key-based logins and allow-lists for expected access to prevent a successful login.
The reason why Field Effect alerts on this type of activity is because exposed SSH is often targeted by threat actors. It provides a direct method to access the system, and if improperly configured or secured, it can become an entry point for unauthorized threat actors to gain access into your network.
Should SSH access be successful, and as long as a Field Effect endpoint agent is installed on the host in question, Field Effect will also monitor and alert on any suspicious activity and depending on your Active Response profile take appropriate action.
You can look up the reliability of the IP using a tool such as https://www.abuseipdb.com/
If this activity is expected in your network and you plan on keeping SSH exposed to the Internet, we recommend implementing security measures to decrease your threat surface level. This includes implementing some of the items listed under the 'Mitigation Steps' section of the ARO such as ensuring you have strong passwords, restricting access using ACLs and using SSH key-based logins. If SSH does not need to be exposed to the Internet, we recommend disabling public SSH.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article