The filter the OP posted
set firewall family inet filter Access term AllowSSH from address X.X.X.X/16
set firewall family inet filter Access term AllowSSH from address X.X.X.X/16
set firewall family inet filter Access term AllowSSH from address X.X.X.X/16
set firewall family inet filter Access term AllowSSH from address X.X.X.X/16
set firewall family inet filter Access term AllowSSH from protocol tcp
set firewall family inet filter Access term AllowSSH from port ssh
set firewall family inet filter Access term AllowSSH then accept
- matches the following combo:
( { X.X.X.X/16 source, any destination } OR { any source, X.X.X.X/16
destination} )
AND
( { any src.tcp.port, 22 } OR { 22, any dst.tcp.port} )
Which means that if X.X.X.X/16 includes any local IP address, then any
host on internet can send SSH packets to this router.
Hope this makes sense.
HTH
Thanks
Alex
On 27/02/2014 15:10, Andrew Tutten wrote:
Alex,
Can you elaborate on a situation where if you have part of your source
address filter on your interface why it won't stop attacks? Is it if
SSH traffic is passing through that interface to get to the router? I
have had problems with still seeing logins from addresses outside the
filter on mine.
Thanks.
On Thu, Feb 27, 2014 at 7:44 AM, Alex Arseniev
<arsen...@btinternet.com <mailto:arsen...@btinternet.com>> wrote:
set firewall family inet filter Access term AllowSSH from address
X.X.X.X/16
If X.X.X.X/16 includes any interface address of this router, then
this filter is NOT going to stop attacks, no matter where applied.
You should be much more specific in writing the match conditions.
Below is an example:
######## X.X.X.X/16 is the trusted hosts IP block, allowed to SSH
_TO_ this router
set firewall family inet filter Access term AllowInboundSSH from
source-address X.X.X.X/16
set firewall family inet filter Access term AllowInboundSSH from
protocol tcp
set firewall family inet filter Access term AllowInboundSSH from
destination-port ssh
set firewall family inet filter Access term AllowInboundSSH then
accept
######## Y.Y.Y.Y/16 is the another trusted hosts IP block, allowed
to be SSHed to _FROM_ this router
set firewall family inet filter Access term AllowOutboundSSHReturn
from source-address Y.Y.Y.Y/16
set firewall family inet filter Access term AllowOutboundSSHReturn
from protocol tcp
set firewall family inet filter Access term AllowOutboundSSHReturn
from tcp-established
set firewall family inet filter Access term AllowOutboundSSHReturn
from source-port ssh
set firewall family inet filter Access term AllowOutboundSSHReturn
then accept
HTH
Thanks
Alex
On 27/02/2014 12:13, Harri Makela wrote:
Model: j6350
JUNOS Software Release [10.4R4.5]
Following is the current configuration that we have for ssh:-
set system login user xxx authentication ssh-rsa "ssh-rsa AAAAB"
set system services ssh
set security ssh-known-hosts host 10.x.x.x rsa-key
set security ssh-known-hosts host 10.x.x.x rsa-key
set firewall family inet filter Access term AllowSSH from port ssh
set firewall family inet filter Access term DenySSH from port ssh
Following firewall filter is in place:-
set interfaces ge-0/0/1 unit 0 family inet filter input Access
set firewall family inet filter Access term AllowSSH from
address X.X.X.X/16
set firewall family inet filter Access term AllowSSH from
address X.X.X.X/16
set firewall family inet filter Access term AllowSSH from
address X.X.X.X/16
set firewall family inet filter Access term AllowSSH from
address X.X.X.X/16
set firewall family inet filter Access term AllowSSH from
protocol tcp
set firewall family inet filter Access term AllowSSH from port ssh
set firewall family inet filter Access term AllowSSH then accept
set firewall family inet filter Access term DenySSH from
protocol tcp
set firewall family inet filter Access term DenySSH from port ssh
set firewall family inet filter Access term DenySSH then reject
set firewall family inet filter Access term default-term then
accept
I am now going to add loopback address as well:-
set interfaces lo0 unit 0 family inet filter input Access
Important thing is that all these alerst started when we
applied the filter, may be something wrong with the
ocnfiguration that we have applied.
Following is the vulnerability that we wanted to address:-
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10612
Thanks all for your detailed response.
On Thursday, 27 February 2014, 7:11, Mark Tinka
<mark.ti...@seacom.mu <mailto:mark.ti...@seacom.mu>> wrote:
On Thursday, February 27, 2014 01:14:26 AM Rodrigo Augusto
wrote:
Protect your RE. Put a filter on your loopback and permit
only your netwoks to access this port(22).
Yep.
You really shouldn't let your SSH daemon have easy access to
the world.
Mark.
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
<mailto:juniper-nsp@puck.nether.net>
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
<mailto:juniper-nsp@puck.nether.net>
https://puck.nether.net/mailman/listinfo/juniper-nsp
--
Andrew Tutten
Senior Network Engineer
API Digital Communications Group
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
