SSH Detection Dashboard

by Michael Willison
July 18, 2014

This dashboard provides information on SSH remote access vulnerabilities, exploits, and network traffic flow. SSH (Secure Shell) is used by *nix, Mac OS, and Windows to remotely manage other devices on the network. The SSH protocol often has vulnerabilities linked to other open source software. For example, OpenSSH v1 is affected by the Heartbleed vulnerability (CVE-2014-0160). While analyzing risks on the network, the IT team detects and mitigates SSH vulnerabilities, which results in a more secure server infrastructure. There are six components that will help IT teams with SSH vulnerabilities, exploits and their SSH network traffic flow.

The dashboard and its components are available in the SecurityCenter Feed, an app store of dashboards, reports, and assets. The dashboard can be easily located in the SecurityCenter Feed by selecting category "Discovery & Detection", and then selecting tags SSH and inbound. The dashboard requirements are:

  • SecurityCenter 4.8.1
  • Nessus 5.2.7
  • PVS 4.0.2

Listed below are the included components:

  • SSH Detection - Vulnerabilities by IP  Address: This component provides a table of the top 20 SSH vulnerable systems. The table is sorted by vulnerability weight score. The columns displayed are IP Address, OS, Score, and by each vulnerability severity (info, low, medium, high, and critical). The severity columns will have total vulnerability count in each severity cell.
  • SSH Detection - Directional Events: This component provides a table of SSH network traffic directional flow by 8 event types. The event types used are Intrusion, Login, Logout, Failed Login, Connection, Continuous, Networks, and Errors. SecurityCenter defines network traffic flow as internal, inbound and outbound. Understanding SSH traffic patterns allows IT security teams to have a better view of SSH usage within the network. The Total Event Types column displays a count of all of the respective events, while the remaining three columns show the percentage of events according to directional flow.
  • SSH Detection - Normalized Events: This component displays normalized events from SecurityCenter over the past seven days. The fields displayed are: normalized events names, total events, and a trend graph for events collected over the past 7 days.
  • SSH Detection - Vulnerability with Exploits by Severities: This component displays the top exploitable SSH vulnerabilities for both servers and clients. The table columns are: vulnerability name, family, severity, and total vulnerabilities, which are sorted by severity level.
  • SSH Detection -Total Number of  Events per Day over 7 Days: This component displays the total number of SSH events per day over a 7 day period.  Any increase or decrease of SSH events indicates a change in the normal SSH activity.
  •  SSH  Detection - SSH Network Traffic Directional Event Trending: This component displays SSH network traffic directional event trending flow over 25 days. The traffic flow is represented using the directional filters internal, inbound, and outbound. Monitoring for inbound and outbound SSH traffic will vary based on the network configuration.  Network administrators should review network traffic trends to determine if traffic is following normal usage patterns.