ssh attack

Question

i have one SSH vip that has been getting attacks from different IPs with admin, root, and some other  IDs but wrong password. Is there a way to block this,
  Thank you for your help.&nbsp;

vernonwells · Answer

You can block source IP addresses, but you cannot, at the BIG-IP, block by user.  BIG-IP does not perform ssh offloading, and as such, cannot read the username (which is encrypted).&nbsp;

mikegray_198028 · Answer

Is there any irule to prevent the same?&nbsp;

vernonwells · Answer

Unhappily, no. Again, the problem is that ssh starts with a handshake, after which all following data are encrypted. The encrypted stream includes authentication material (including username and password). The BIG-IP cannot read the encrypted stream because it is effectively a "man-in-the-middle".

gabe_31218 · Answer

Vernon's right, since ssh is encrypted so you can't do much about the traffic.
But there are things you can do to minimize the attack surface :)
You can work on blocking source IP by geographic locations.
The following URL will be a good start:
https://devcentral.f5.com/wiki/iRules.whereis.ashx&nbsp;
Cheers,
Gabe&nbsp;

Forum Discussion

ssh attack

4 Replies

ICYMI - Steve Wozniak at AppWorld 2026

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Connections appear not to use Persistence

LB Connection Limit Detection Method

Partially reachabilty issues with VS in F5OS tenant

Forward proxy with SSL passthrough - SWG license required?

Need step-by-step guidance for migrating BIG-IP i2800 WAF to rSeries (UCS restore vs clean build)

Related Content

SSH Brute Force Protection with SSH Proxy

Post-Quantum Cryptography, OpenSSH, & s1ngularity supply chain attack

F5 Distributed Cloud L7 DoS Attack Mitigation Roundup

November Security Research Update: Newly Released Attack Signatures

The HTTP/2 CONTINUATION frame attack

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS