If you're stuck with password-based login (rather than SSH keys), leave yourself one go at missing your password, then increase the backoff-factor up to 10 to put a 10-second wait for guess number 3:
set system services ssh root-login deny set system login retry-options backoff-threshold 2 set system login retry-options backoff-factor 10 It won't stop a bot, but it will slow it down a bit. Phil - while you're at it with Junos enhancements - any chance of giving us a set system services ssh port <1024-65535> Yes it's security through obscurity, but it's also low hanging fruit.. Failing that, there is a: set system login deny-sources maybe an "allow-sources" might be a bit more useful in this instance? Less sophisticated users tend to shoot themselves in the foot with firewall filters quite regularly. Ben On 27 Feb 2014, at 8:21 am, Harri Makela <harri_mak...@yahoo.com> wrote: > Hi There > > I am constantly getting these log messages for last few days:- > > sshd[21015]: Failed password for root from X.X.103.152 port 21067 ssh2 > sshd[21016]: Received disconnect from X.X.103.152: 11: Normal Shutdown, Thank > you for playing > > > Are these indicating any brute-force attack ?Thanks > HM > > > > > On Wednesday, 26 February 2014, 21:15, "juniper-nsp-requ...@puck.nether.net" > <juniper-nsp-requ...@puck.nether.net> wrote: > > Send juniper-nsp mailing list submissions to > juniper-nsp@puck.nether.net > > To subscribe or unsubscribe via the World Wide Web, visit > https://puck.nether.net/mailman/listinfo/juniper-nsp > or, via email, send a message with subject or body 'help' to > juniper-nsp-requ...@puck.nether.net > > You can reach the person managing the list at > juniper-nsp-ow...@puck.nether.net > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of juniper-nsp digest..." > > > Today's Topics: > > 1. Re: proposed changes to "clear bgp neighbor" (ryanL) > 2. Re: proposed changes to "clear bgp neighbor" (Phil Shafer) > 3. Re: proposed changes to "clear bgp neighbor" (Eric Van Tol) > 4. Re: proposed changes to "clear bgp neighbor" (Jerry Dent) > 5. Re: proposed changes to "clear bgp neighbor" (Brent Sweeny) > 6. Re: proposed changes to "clear bgp neighbor" > (Fernando Garcia Fernandez) > 7. Re: proposed changes to "clear bgp neighbor" (ryanL) > 8. Re: proposed changes to "clear bgp neighbor" > (Jonas Frey (Probe Networks)) > 9. Re: proposed changes to "clear bgp neighbor" (sth...@nethelp.no) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 26 Feb 2014 12:22:51 -0500 > From: ryanL <ryan.lan...@gmail.com> > To: p...@juniper.net > Cc: Juniper for Network Service Providers > <juniper-nsp@puck.nether.net> > Subject: Re: [j-nsp] proposed changes to "clear bgp neighbor" > Message-ID: > <cak_-tsayrdjhuatsnbokn2nrkcrjjgb3zwtr_cljizkuxcx...@mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > it's a nice-to-have, maybe? but this sounds more like an opportunity for > you to sell some JNCIA courses. i mean, how long has junos been around now? > > > On Wed, Feb 26, 2014 at 10:36 AM, Phil Shafer <p...@juniper.net> wrote: > >> Juniper users, >> >> We've been asked to make a change the "clear bgp neighbor" command >> to make the neighbor or "all" argument mandatory. The root cause >> is the severe impact of "clear bgp neighbor" and the increasing >> accidental use of this command without a specific neighbor. >> >> In general, we avoid changing commands to add mandatory arguments, >> but my feeling is that the impact and severity of this specific >> command makes this an acceptable occasion for such a change. >> >> I'm looking for feedback about this change. My working assumption >> is that "clear bgp neighbor" is a sufficiently rare command and >> would not be used in automation/scripts, so the impact of making >> the neighbor/all argument mandatory would be minimal. Is this >> assumption accurate? >> >> Thanks, >> Phil >> >> [I've set reply-to to myself to avoid impacting the list] >> >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > > > ------------------------------ > > Message: 2 > Date: Wed, 26 Feb 2014 13:44:42 -0500 > From: Phil Shafer <p...@juniper.net> > To: ryanL <ryan.lan...@gmail.com> > Cc: Juniper for Network Service Providers > <juniper-nsp@puck.nether.net> > Subject: Re: [j-nsp] proposed changes to "clear bgp neighbor" > Message-ID: <201402261844.s1qiiggl031...@idle.juniper.net> > Content-Type: text/plain > > ryanL writes: >> it's a nice-to-have, maybe? but this sounds more like an opportunity for >> you to sell some JNCIA courses. i mean, how long has junos been around now? > > Not selling anything; just trying to solve a problem multiple > customers have reported and escalated. I'm a software developer, > working on the UI code (CLI, MGD, configuration, XML API, scripting) > for 17+ years. > > JUNOS 3.0 (the first release with the ui code) shipped during the > summer of 1998, IIRC. > > Thanks, > Phil > > > > ------------------------------ > > Message: 3 > Date: Wed, 26 Feb 2014 14:24:21 -0500 > From: Eric Van Tol <e...@atlantech.net> > To: "juniper-nsp@puck.nether.net" <juniper-nsp@puck.nether.net> > Subject: Re: [j-nsp] proposed changes to "clear bgp neighbor" > Message-ID: > <2C05E949E19A9146AF7BDF9D44085B865F70CC1FB1@exchange.aoihq.local> > Content-Type: text/plain; charset="us-ascii" > >> it's a nice-to-have, maybe? but this sounds more like an opportunity for >> you to sell some JNCIA courses. i mean, how long has junos been around >> now? > > Confusing comment, since this enhancement isn't about CLI inexperience. It > doesn't matter how long Junos has been around or how experienced someone is, > it's still too incredibly easy to hit 'Enter' too soon and clear all your BGP > neighbors by accident. > > I don't see a problem with adding the requirement 'all'. > > -evt > > > > ------------------------------ > > Message: 4 > Date: Wed, 26 Feb 2014 13:29:18 -0600 > From: Jerry Dent <effinjd...@gmail.com> > To: Eric Van Tol <e...@atlantech.net> > Cc: "juniper-nsp@puck.nether.net" <juniper-nsp@puck.nether.net> > Subject: Re: [j-nsp] proposed changes to "clear bgp neighbor" > Message-ID: > <CADUFW=wkyvha1jlwjjrwqkhlrootrpaggrwqtzw_vjlai33...@mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Just add a line "Reset all bgp sessions? [Y/N]" for confirmation. > > > On Wed, Feb 26, 2014 at 1:24 PM, Eric Van Tol <e...@atlantech.net> wrote: > >>> it's a nice-to-have, maybe? but this sounds more like an opportunity for >>> you to sell some JNCIA courses. i mean, how long has junos been around >>> now? >> >> Confusing comment, since this enhancement isn't about CLI inexperience. >> It doesn't matter how long Junos has been around or how experienced >> someone is, it's still too incredibly easy to hit 'Enter' too soon and >> clear all your BGP neighbors by accident. >> >> I don't see a problem with adding the requirement 'all'. >> >> -evt >> >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > > > ------------------------------ > > Message: 5 > Date: Wed, 26 Feb 2014 11:04:54 -0800 > From: Brent Sweeny <swe...@indiana.edu> > To: p...@juniper.net, Juniper for Network Service Providers > <juniper-nsp@puck.nether.net> > Subject: Re: [j-nsp] proposed changes to "clear bgp neighbor" > Message-ID: <530e3ad6.2010...@indiana.edu> > Content-Type: text/plain; charset=ISO-8859-1 > > Phil, I think what you propose sounds like a reasonable and > appropriately-scoped response to a real problem. > Brent Sweeny > Indiana University > > On 2/26/2014 7:36 AM, Phil Shafer wrote: >> Juniper users, >> >> We've been asked to make a change the "clear bgp neighbor" command >> to make the neighbor or "all" argument mandatory. The root cause >> is the severe impact of "clear bgp neighbor" and the increasing >> accidental use of this command without a specific neighbor. >> >> In general, we avoid changing commands to add mandatory arguments, >> but my feeling is that the impact and severity of this specific >> command makes this an acceptable occasion for such a change. >> >> I'm looking for feedback about this change. My working assumption >> is that "clear bgp neighbor" is a sufficiently rare command and >> would not be used in automation/scripts, so the impact of making >> the neighbor/all argument mandatory would be minimal. Is this >> assumption accurate? >> >> Thanks, >> Phil >> >> [I've set reply-to to myself to avoid impacting the list] >> >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > > > ------------------------------ > > Message: 6 > Date: Wed, 26 Feb 2014 21:04:54 +0100 > From: Fernando Garcia Fernandez <lis...@cutre.net> > To: Eric Van Tol <e...@atlantech.net> > Cc: "juniper-nsp@puck.nether.net" <juniper-nsp@puck.nether.net> > Subject: Re: [j-nsp] proposed changes to "clear bgp neighbor" > Message-ID: <ca92bfd8-e457-4aee-8fd7-c0771fcd9...@cutre.net> > Content-Type: text/plain; charset=windows-1252 > > +1 to include the ?all? option. > > In fact, coming from the IOS world, it amused me when I discovered that there > was no ?*? or ?all? option to clear all neighbors. > > > El 26/02/2014, a las 20:24, Eric Van Tol <e...@atlantech.net> escribi?: > >>> it's a nice-to-have, maybe? but this sounds more like an opportunity for >>> you to sell some JNCIA courses. i mean, how long has junos been around >>> now? >> >> Confusing comment, since this enhancement isn't about CLI inexperience. It >> doesn't matter how long Junos has been around or how experienced someone is, >> it's still too incredibly easy to hit 'Enter' too soon and clear all your >> BGP neighbors by accident. >> >> I don't see a problem with adding the requirement 'all'. >> >> -evt >> >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp > > > > > ------------------------------ > > Message: 7 > Date: Wed, 26 Feb 2014 14:25:00 -0500 > From: ryanL <ryan.lan...@gmail.com> > To: Phil Shafer <p...@juniper.net> > Cc: Juniper for Network Service Providers > <juniper-nsp@puck.nether.net> > Subject: Re: [j-nsp] proposed changes to "clear bgp neighbor" > Message-ID: > <cak_-tsajcgxr6n3-aq7w6frmz61fh+w8y30x0fhkzslzy8e...@mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > yeah, i'm not slagging. just seems like poor training for newbie noc > engineers or something. this is a pretty rookie error, in my view, but i've > been around almost as long as you have ;-) > > > On Wed, Feb 26, 2014 at 1:44 PM, Phil Shafer <p...@juniper.net> wrote: > >> ryanL writes: >>> it's a nice-to-have, maybe? but this sounds more like an opportunity for >>> you to sell some JNCIA courses. i mean, how long has junos been around >> now? >> >> Not selling anything; just trying to solve a problem multiple >> customers have reported and escalated. I'm a software developer, >> working on the UI code (CLI, MGD, configuration, XML API, scripting) >> for 17+ years. >> >> JUNOS 3.0 (the first release with the ui code) shipped during the >> summer of 1998, IIRC. >> >> Thanks, >> Phil >> >> > > > ------------------------------ > > Message: 8 > Date: Wed, 26 Feb 2014 21:37:20 +0100 > From: "Jonas Frey (Probe Networks)" <j...@probe-networks.de> > To: p...@juniper.net > Cc: Juniper for Network Service Providers > <juniper-nsp@puck.nether.net> > Subject: Re: [j-nsp] proposed changes to "clear bgp neighbor" > Message-ID: <1393447040.4974.178.camel@wks02> > Content-Type: text/plain; charset="utf-8" > > +1 for the "all" requirement > > Am Mittwoch, den 26.02.2014, 10:36 -0500 schrieb Phil Shafer: >> Juniper users, >> >> We've been asked to make a change the "clear bgp neighbor" command >> to make the neighbor or "all" argument mandatory. The root cause >> is the severe impact of "clear bgp neighbor" and the increasing >> accidental use of this command without a specific neighbor. >> >> In general, we avoid changing commands to add mandatory arguments, >> but my feeling is that the impact and severity of this specific >> command makes this an acceptable occasion for such a change. >> >> I'm looking for feedback about this change. My working assumption >> is that "clear bgp neighbor" is a sufficiently rare command and >> would not be used in automation/scripts, so the impact of making >> the neighbor/all argument mandatory would be minimal. Is this >> assumption accurate? >> >> Thanks, >> Phil >> >> [I've set reply-to to myself to avoid impacting the list] >> >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: signature.asc > Type: application/pgp-signature > Size: 198 bytes > Desc: This is a digitally signed message part > URL: > <https://puck.nether.net/pipermail/juniper-nsp/attachments/20140226/ad7a1719/attachment-0001.sig> > > ------------------------------ > > Message: 9 > Date: Wed, 26 Feb 2014 22:10:50 +0100 (CET) > From: sth...@nethelp.no > To: p...@juniper.net > Cc: juniper-nsp@puck.nether.net > Subject: Re: [j-nsp] proposed changes to "clear bgp neighbor" > Message-ID: <20140226.221050.71112673.sth...@nethelp.no> > Content-Type: Text/Plain; charset=us-ascii > >> We've been asked to make a change the "clear bgp neighbor" command >> to make the neighbor or "all" argument mandatory. The root cause >> is the severe impact of "clear bgp neighbor" and the increasing >> accidental use of this command without a specific neighbor. >> >> In general, we avoid changing commands to add mandatory arguments, >> but my feeling is that the impact and severity of this specific >> command makes this an acceptable occasion for such a change. >> >> I'm looking for feedback about this change. My working assumption >> is that "clear bgp neighbor" is a sufficiently rare command and >> would not be used in automation/scripts, so the impact of making >> the neighbor/all argument mandatory would be minimal. Is this >> assumption accurate? > > For us, yes. Fully support the idea of requiring an "all" argument. > > Steinar Haug, AS 2116 > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > juniper-nsp mailing list > juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > > ------------------------------ > > End of juniper-nsp Digest, Vol 135, Issue 29 > ******************************************** > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp