Re: [j-nsp] SSH access and not working firewall policy
One possibility - They're coming from inside your own network =) Whats the source IPs on the attempts, and what device is this (EX? MX? J? QFabric?) - CK. On 2012-08-13, at 5:07 AM, Robert Hass wrote: > Hi > > I have Juniper running 10.4R7 with RE filter applied to lo.0 but I > still see bruteforce attacks to my SSH in log messages. > > . ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SSH access and not working firewall policy
On Aug 12, 2012, at 3:07 PM, Robert Hass wrote: > Hi > > I have Juniper running 10.4R7 with RE filter applied to lo.0 but I > still see bruteforce attacks to my SSH in log messages. > > I tested policy from hosts not existing in MGMT ACL - I cannot connect > to SSH, so how these attackers can connect to my SSH ? > Any hints ? Maybe I also have to filter more ports ? > > Rob > > My configuration: > > lo0 { >unit 0 { >family inet { >no-redirects; >primary; >filter { >input RE; >} >address 10.0.0.1/32 >} > >} > } > policy-options { >prefix-list >MGMT { >10.3.0.0/24; >10.4.0.0/24; >} >} > } > filter RE { >term cli_permit { >from { >prefix-list { >MGMT; >} >protocol tcp; >destination-port [ telnet ssh ]; >} >then { >count cli_permit; >accept; >} >} >term cli_deny { >from { >protocol tcp; >destination-port [ telnet ssh ]; >} >then { >count cli_deny; >log; >discard; >} >} >term default_action { >then accept; >} > } > ___ For some reason (have to admit I forget exactly why) I ended up doing it this way on 9.6, not sure if it is helpful for 10.4 or not. filter protect-router { term 10-ssh { from { source-address { 0.0.0.0/0; } source-prefix-list { trusted-networks except; } protocol tcp; destination-port ssh; } then { discard; } } } George Carey ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SSH access and not working firewall policy
Hi I have Juniper running 10.4R7 with RE filter applied to lo.0 but I still see bruteforce attacks to my SSH in log messages. I tested policy from hosts not existing in MGMT ACL - I cannot connect to SSH, so how these attackers can connect to my SSH ? Any hints ? Maybe I also have to filter more ports ? Rob My configuration: lo0 { unit 0 { family inet { no-redirects; primary; filter { input RE; } address 10.0.0.1/32 } } } policy-options { prefix-list MGMT { 10.3.0.0/24; 10.4.0.0/24; } } } filter RE { term cli_permit { from { prefix-list { MGMT; } protocol tcp; destination-port [ telnet ssh ]; } then { count cli_permit; accept; } } term cli_deny { from { protocol tcp; destination-port [ telnet ssh ]; } then { count cli_deny; log; discard; } } term default_action { then accept; } } ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] How to restart a JUNOS process using Shell and CRONTAB
Looks like is better to use event-options: set event-options generate-event TestEvent time-of-day "09:05:00 -0300" set event-options policy Policy1 events TestEvent set event-options policy Policy1 then execute-commands commands "run restart firewall" set event-options policy Policy1 then execute-commands output-filename test1 set event-options policy Policy1 then execute-commands destination local-directory set event-options destinations local-directory archive-sites /var/tmp/ Hi everyone, Does anyone know how to restart a JUNOS process using Shell and CRONTAB ? Do we need to create some kind of shell script to do that ? This seems not to be working for me: ps -ax | grep dfwd 1146 ?? I 0:00.27 /usr/sbin/dfwd -N kill -s HUP 1146 Does anyone uses the CRONTAB for that ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] How to restart a JUNOS process using Shell and CRONTAB
Hi everyone, Does anyone know how to restart a JUNOS process using Shell and CRONTAB ? Do we need to create some kind of shell script to do that ? This seems not to be working for me: ps -ax | grep dfwd 1146 ?? I 0:00.27 /usr/sbin/dfwd -N kill -s HUP 1146 Does anyone uses the CRONTAB for that ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp