set firewall family inet filter Access term AllowSSH from address X.X.X.X/16
If X.X.X.X/16 includes any interface address of this router, then this
filter is NOT going to stop attacks, no matter where applied.
You should be much more specific in writing the match conditions. Below
is an example:
######## X.X.X.X/16 is the trusted hosts IP block, allowed to SSH _TO_
this router
set firewall family inet filter Access term AllowInboundSSH from
source-address X.X.X.X/16
set firewall family inet filter Access term AllowInboundSSH from
protocol tcp
set firewall family inet filter Access term AllowInboundSSH from
destination-port ssh
set firewall family inet filter Access term AllowInboundSSH then accept
######## Y.Y.Y.Y/16 is the another trusted hosts IP block, allowed to be
SSHed to _FROM_ this router
set firewall family inet filter Access term AllowOutboundSSHReturn from
source-address Y.Y.Y.Y/16
set firewall family inet filter Access term AllowOutboundSSHReturn from
protocol tcp
set firewall family inet filter Access term AllowOutboundSSHReturn from
tcp-established
set firewall family inet filter Access term AllowOutboundSSHReturn from
source-port ssh
set firewall family inet filter Access term AllowOutboundSSHReturn then
accept
HTH
Thanks
Alex
On 27/02/2014 12:13, Harri Makela wrote:
Model: j6350
JUNOS Software Release [10.4R4.5]
Following is the current configuration that we have for ssh:-
set system login user xxx authentication ssh-rsa "ssh-rsa AAAAB"
set system services ssh
set security ssh-known-hosts host 10.x.x.x rsa-key
set security ssh-known-hosts host 10.x.x.x rsa-key
set firewall family inet filter Access term AllowSSH from port ssh
set firewall family inet filter Access term DenySSH from port ssh
Following firewall filter is in place:-
set interfaces ge-0/0/1 unit 0 family inet filter input Access
set firewall family inet filter Access term AllowSSH from address X.X.X.X/16
set firewall family inet filter Access term AllowSSH from address X.X.X.X/16
set firewall family inet filter Access term AllowSSH from address X.X.X.X/16
set firewall family inet filter Access term AllowSSH from address X.X.X.X/16
set firewall family inet filter Access term AllowSSH from protocol tcp
set firewall family inet filter Access term AllowSSH from port ssh
set firewall family inet filter Access term AllowSSH then accept
set firewall family inet filter Access term DenySSH from protocol tcp
set firewall family inet filter Access term DenySSH from port ssh
set firewall family inet filter Access term DenySSH then reject
set firewall family inet filter Access term default-term then accept
I am now going to add loopback address as well:-
set interfaces lo0 unit 0 family inet filter input Access
Important thing is that all these alerst started when we applied the filter,
may be something wrong with the ocnfiguration that we have applied.
Following is the vulnerability that we wanted to address:-
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10612
Thanks all for your detailed response.
On Thursday, 27 February 2014, 7:11, Mark Tinka <mark.ti...@seacom.mu> wrote:
On Thursday, February 27, 2014 01:14:26 AM Rodrigo Augusto
wrote:
Protect your RE. Put a filter on your loopback and permit
only your netwoks to access this port(22).
Yep.
You really shouldn't let your SSH daemon have easy access to
the world.
Mark.
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp