Understanding Risk Scores
SSHwatch assigns risk scores to every SSH event to help you quickly identify potential security threats. This guide explains how these scores are calculated and what they mean.
Risk Score Components
Each SSH event is evaluated based on multiple factors:
IP Address Analysis
- Previous activity history
- Known malicious IP lists
- Geographic location and routing
- ISP and network type
Authentication Patterns
- Success or failure status
- Username attempted
- Authentication method used
- Time of attempt
Server Context
- Historical access patterns
- Normal operating hours
- Usual geographic locations
- Typical user patterns
Risk Score Scale
Risk scores range from 0 to 100:
0-30: LOW_RISK
- Normal, expected activity
- Known IP addresses
- Regular users and times
- Standard authentication methods
31-70: MEDIUM_RISK
- Unusual but not necessarily malicious
- New IP addresses
- Off-hours access
- Non-standard ports
71-100: HIGH_RISK
- Likely malicious activity
- Known bad IP addresses
- Brute force attempts
- Root access attempts from unknown sources
Understanding Risk Reasons
Each high-risk event includes specific reasons for its score. Common reasons include:
- "Multiple failed attempts from IP"
- "Access attempt from known malicious IP"
- "Unusual geographic location"
- "Root login attempt from unknown IP"
- "Brute force pattern detected"
- "Off-hours access attempt"
Risk Score Usage
The risk score system helps you:
- Prioritize security events
- Automate responses through alerts
- Track security trends
- Identify attack patterns
- Focus investigation efforts