Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: nsp: juniper

SSH access and not working firewall policy

 

 

nsp juniper RSS feed   Index | Next | Previous | View Threaded


robhass at gmail

Aug 12, 2012, 12:07 PM

Post #1 of 5 (753 views)
Permalink
SSH access and not working firewall policy

Hi

I have Juniper running 10.4R7 with RE filter applied to lo.0 but I
still see bruteforce attacks to my SSH in log messages.

I tested policy from hosts not existing in MGMT ACL - I cannot connect
to SSH, so how these attackers can connect to my SSH ?
Any hints ? Maybe I also have to filter more ports ?

Rob

My configuration:

lo0 {
unit 0 {
family inet {
no-redirects;
primary;
filter {
input RE;
}
address 10.0.0.1/32
}

}
}
policy-options {
prefix-list
MGMT {
10.3.0.0/24;
10.4.0.0/24;
}
}
}
filter RE {
term cli_permit {
from {
prefix-list {
MGMT;
}
protocol tcp;
destination-port [ telnet ssh ];
}
then {
count cli_permit;
accept;
}
}
term cli_deny {
from {
protocol tcp;
destination-port [ telnet ssh ];
}
then {
count cli_deny;
log;
discard;
}
}
term default_action {
then accept;
}
}
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


george at montco

Aug 12, 2012, 3:25 PM

Post #2 of 5 (726 views)
Permalink
Re: SSH access and not working firewall policy [In reply to]

On Aug 12, 2012, at 3:07 PM, Robert Hass <robhass [at] gmail> wrote:

> Hi
>
> I have Juniper running 10.4R7 with RE filter applied to lo.0 but I
> still see bruteforce attacks to my SSH in log messages.
>
> I tested policy from hosts not existing in MGMT ACL - I cannot connect
> to SSH, so how these attackers can connect to my SSH ?
> Any hints ? Maybe I also have to filter more ports ?
>
> Rob
>
> My configuration:
>
> lo0 {
> unit 0 {
> family inet {
> no-redirects;
> primary;
> filter {
> input RE;
> }
> address 10.0.0.1/32
> }
>
> }
> }
> policy-options {
> prefix-list
> MGMT {
> 10.3.0.0/24;
> 10.4.0.0/24;
> }
> }
> }
> filter RE {
> term cli_permit {
> from {
> prefix-list {
> MGMT;
> }
> protocol tcp;
> destination-port [ telnet ssh ];
> }
> then {
> count cli_permit;
> accept;
> }
> }
> term cli_deny {
> from {
> protocol tcp;
> destination-port [ telnet ssh ];
> }
> then {
> count cli_deny;
> log;
> discard;
> }
> }
> term default_action {
> then accept;
> }
> }
> _______________________________________________


For some reason (have to admit I forget exactly why) I ended up doing it this way on 9.6, not sure if it is helpful for 10.4 or not.

filter protect-router {
term 10-ssh {
from {
source-address {
0.0.0.0/0;
}
source-prefix-list {
trusted-networks except;
}
protocol tcp;
destination-port ssh;
}
then {
discard;
}
}
}

George Carey


_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


juniperdude at gmail

Aug 12, 2012, 9:34 PM

Post #3 of 5 (717 views)
Permalink
Re: SSH access and not working firewall policy [In reply to]

One possibility - They're coming from inside your own network =)

Whats the source IPs on the attempts, and what device is this (EX? MX? J? QFabric?)

- CK.

On 2012-08-13, at 5:07 AM, Robert Hass wrote:

> Hi
>
> I have Juniper running 10.4R7 with RE filter applied to lo.0 but I
> still see bruteforce attacks to my SSH in log messages.
>
> .....


_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


robhass at gmail

Aug 13, 2012, 12:24 AM

Post #4 of 5 (720 views)
Permalink
Re: SSH access and not working firewall policy [In reply to]

On Mon, Aug 13, 2012 at 6:34 AM, Chris Kawchuk <juniperdude [at] gmail> wrote:
> One possibility - They're coming from inside your own network =)
>
> Whats the source IPs on the attempts, and what device is this (EX? MX? J? QFabric?)

Platform is MX

Source IPs are for example from China, so at all not my inside network
- but here is not different for me if packets coming from inside our
outside part of network. These source IPs are not in MGMT prefix-list

Rob
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


robhass at gmail

Aug 13, 2012, 12:29 AM

Post #5 of 5 (719 views)
Permalink
Re: SSH access and not working firewall policy [In reply to]

On Sun, Aug 12, 2012 at 10:46 PM, Alex Arseniev <alex.arseniev [at] gmail> wrote:
> Try this:
>
> from {
> source-prefix-list { ### <=== must be source
[...]
>
> "prefix-list" checks if either dst.IP or src.IP of incoming packet matches.
> If your box' interface IP is in MGMT prefix-list, then every SSH brute force
> attempt is a match since it most likely targets your interface IP.

Hi Alex
Thanks. This was this!

Now ACL works perfect.

Rob
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

nsp juniper RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.