# sshbrute\_external\_internal

**Explanation**

This event is triggered by Netography's Fusion Portal when it detects an SSH brute force attack, which is an attempt to guess a valid password against an SSH server. This event specifically looks for activity from the Internet toward Internet facing SSH servers on your network.

**What to Look For**

Brute Force Attacks on SSH servers that are open to the Internet are quite commonplace, as many attackers scan the Internet for these endpoints. Ensure that strong passwords and/or multi-factor authentication are in use to prevent successful attacks. Check network logs for additional information and review endpoint security to ensure that sensitive information is secure.

**Related MITRE ATT\&CK Categories**

[Credential Access: Brute Force, Technique T1110 - Enterprise](https://attack.mitre.org/techniques/T1110)

[Initial Access, Persistence: External Remote Services, Technique T1133 - Enterprise](https://attack.mitre.org/techniques/T1133)