Re: [j-nsp] how to disconnect/kill tcp session from juniper router
Alexander Arseniev writes: >Someone is brute-forcing Your router password, and that is very common >nowadays. Good loopback filter would prevent this. Amen to this and all your other points, esp re: avoiding telnet in favor of ssh. Also you can use "system services ssh no-passwords;" to prevent password use under ssh, but this _requires_ that you have ssh keys installed for every user under [system login user authentication]. You'll still get connections, which can be blocked using filters, but you can sleep better at night knowing that brute force password attacks will fail (after you delete telnet/ftp/etc). Passwords continue to function on the console and for non-ssh protocols. Thanks, Phil ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Using multiple sources for flows on Logical Systems
Hello, What happens if You configure "inline-jflow source-address 2.2.2.2" instead of 1.1.1.1? I bet Your jflow source IP would become 2.2.2.2 and since 2.2.2.2 exists in the LS LAB, your collector can recognise these packets carry tfc stats from LS LAB. By the same token, You have to have 1 jflow instance per LS. Or do I miss something here? Thx Alex On 24/11/2016 19:21, Epafras R Schaden wrote: Hi Alex, I tried your suggestion on LAB, but unfortunately it does not work. It appears that the configuration that sets the source-address on the packets outgoing the router to the flow server is the in-line jflow source configuration, and it cannot be configured for each instance. I’m attaching my configuration to share. If you and other guys have any suggestion I’ll be glad to test. Thanks Epafras Schaden [edit] epafras@PE1# show services flow-monitoring { version-ipfix { template flow { flow-active-timeout 60; flow-inactive-timeout 30; template-refresh-rate { seconds 10; } option-refresh-rate { seconds 10; } ipv4-template; } } } [edit] epafras@PE1# show forwarding-options sampling { input { rate 1000; } instance { LAB { input { rate 1000; run-length 0; } family inet { output { flow-inactive-timeout 15; flow-active-timeout 60; flow-server 50.0.0.254 { port 63636; version-ipfix { template { flow; } } } inline-jflow { source-address 1.1.1.1; } } } } } } [edit] epafras@PE1# [edit] epafras@PE1# show interfaces lo0 unit 0 { family inet { address 1.1.1.1/32; address 2.2.2.2/32; } } epafras@PE1# top show logical-systems FLOW interfaces { ge-0/0/0 { unit 200 { description "LS FLOW - VLAN 200"; vlan-id 200; family inet { sampling { input; output; } address 200.0.0.254/24; } } } ge-0/0/1 { unit 201 { description "LS FLOW - VLAN 201"; vlan-id 201; family inet { sampling { input; output; } address 201.0.0.254/24; } } } lo0 { unit 1 { family inet { address 2.2.2.2/32; } } } } forwarding-options { sampling { family inet { output { flow-server 50.0.0.254 { port 63636; source-address 2.2.2.2; } } } } } Results on FLOW SERVER. Flows from traffic passing thought L.S. FLOW 17:16:15.272367 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 445 17:16:15.273342 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 445 17:16:15.273350 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 445 17:16:15.273352 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 445 17:16:15.274376 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 445 17:16:15.274386 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 445 17:16:15.274389 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 445 17:16:15.275262 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 445 17:16:15.275268 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 445 17:16:15.275271 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 445 17:16:15.276368 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 190 17:16:15.276374 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 445 17:16:15.276376 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 445 17:16:15.277367 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 445 17:16:15.277381 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 445 17:16:15.278324 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 105 17:16:15.278333 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 445 17:16:15.279348 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 445 17:16:15.280349 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 445 17:16:15.281303 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 105 17:16:15.286309 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 105 17:16:15.288257 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 105 *From: *Alexander Arseniev *Date: *Wednesday, 23 November 2016 11:06 *To: *Epafras R Schaden , J-NSP List *Subject: *Re: [j-nsp] Using multiple sources for flows on Logical Systems Hello, Have You tried to duplicate Your LS IP on master system lo0.0, and explicitly set "source-address" for each LS-mapped Jflow instance to be one of these duplicated IPs? if You worry about leaking these IP to Your IGP, then JUNOS has tools to selectively disallow lo0.0 IP into IGP. Thanks Alex On 23/11/2016 11:51, Epafras R Schaden wrote: Hello All, We have an MX480 configured to export IPFIX flows to a server. Now, we have created some Logical Systems on the router to provide something like a “virtual router” to some of our customers on this location. I have now configured some of those instances to export flows to the same flow server, but the objective is to monitor each logical system as a different rout
Re: [j-nsp] how to disconnect/kill tcp session from juniper router
Hi Aaron, When a telnet session is established, the process is not a telnetd dameon after the process pass to cli process. You should be filter with grep comand looking for "cli". Check my example: *** tecnologia@MX240-2_LAB-RE0> show system users 12:28PM up 93 days, 1:45, 6 users, load averages: 0.16, 0.08, 0.02 USER TTY FROM LOGIN@ IDLE WHAT tecnologia d0 -07Nov16 16days -cli (cli) tecnologia p1 10.10.0.240 Wed04PM 19:26 -cli (cli) tecnologia p5 10.10.90.2 26Oct16 28days -cli (cli) tecnologia pj 10.10.90.2 12:28PM - -cli (cli) tecnologia qi 10.10.0.240 26Oct16 28days telnet tecnologia qn 10.10.0.240 26Oct16 28days -cli (cli) {master} tecnologia@MX240-2_LAB-RE0> start shell % % ps -aux | grep cli tecnologia 90751 0.0 0.7 30400 24536 d0 S+7Nov16 0:04.78 -cli (cli) tecnologia 67215 0.0 0.7 30384 24336 p1 S+4:47PM 0:00.34 -cli (cli) tecnologia 86298 0.0 0.7 30400 24468 p5 S+ 26Oct16 0:06.88 -cli (cli) tecnologia 83579 0.0 0.7 30376 24312 pj S12:28PM 0:00.09 -cli (cli) tecnologia 83599 0.0 0.0 2024 864 pj R+ 12:29PM 0:00.00 grep cli tecnologia 86010 0.0 0.7 30412 24424 qi I+ 26Oct16 0:00.24 -cli (cli) tecnologia 86670 0.0 0.7 30408 24488 qn S+ 26Oct16 0:06.95 -cli (cli) % exit exit *** If the session don't appear with the cli command "show system users", it is probably the process is hang in the shell. I hope to help you. Regards, --- David On Thu, Nov 24, 2016 at 11:37 AM, Hugo Slabbert wrote: > Always a good reference: > > http://www.team-cymru.org/templates.html > http://www.cymru.com/gillsr/documents/junos-template.pdf > > -- > Hugo Slabbert | email, xmpp/jabber: h...@slabnet.com > pgp key: B178313E | also on Signal > > > On Thu 2016-Nov-24 11:07:45 +, Alexander Arseniev < > arsen...@btinternet.com> wrote: > > Hello, >> >> Someone is brute-forcing Your router password, and that is very common >> nowadays. Good loopback filter would prevent this. >> >> In addition: >> >> 1/ You can only do "request system logout" for sessions that passed >> authentication+login+got TTY assigned. If You see "unsuccessful login" it >> means this session did not get past authentication. Unautheticated sessions >> got disconnected after 3 wrong password attempts, or 120 secs if there is >> no data flowing (from memory) >> >> 2/ Best practice is not to allow telnet at all. Use SSH instead. To >> disable telnet, make sure You do NOT have the "telnet" line under "[system >> services]" stanza. >> >> 3/ Also, You should be using: >> >> 3a/ loopback filter allowing SSH from trusted source IPs only. If You >> manage router via internet, and must keep remote access to it open to >> ANYONE that's not a good practice at all. >> >> 3b/ SSH public key authentication instead of password >> >> 3c/ backoff timer to fire after 3-5 unsuccessful login tries >> >> 3d/ inactivity timer to close hanging SSH sessions - to make sure You are >> not locked out of the router access because all TTYs are taken. >> >> Thanks >> >> Alex >> >> >> On 21/11/2016 21:29, Aaron wrote: >> >>> I have an unauthorized telnet session attached to my router but it does >>> not >>> show up under "show system users" and they have not successfully logged >>> so >>> it doesn't seem that I can do the "request system logout.." thing >>> >>> >>> I do however so unsuccessful login attempts in syslog >>> >>> >>> How do I kill/disconnect this tcp session ? >>> >>> >>> me@j1> show system connections | grep ".23 " >>> >>> tcp4 0 0 109.109.109.109.23 >>> 181.181.181.181.55436 ESTABLISHED >>> >>> tcp4 0 0 *.23 *.* >>> LISTEN >>> >>> tcp4 0 0 *.6023*.* >>> LISTEN >>> >>> tcp4 0 0 *.6023*.* >>> LISTEN >>> >>> udp4 0 0 128.0.0.1.123 *.* >>> >>> udp4 0 0 *.123 *.* >>> >>> udp4 0 0 *.6123*.* >>> >>> udp4 0 0 *.6123*.* >>> >>> >>> >>> {master:0} >>> >>> me@j1> show system processes | grep "PID|telnet" >>> >>> PID TT STAT TIME COMMAND >>> >>> 70193 ?? Is 0:00.00 telnetd >>> >>> >>> >>> {master:0} >>> >>> me@j1> start shell >>> >>> % ps -awwux | grep telnet >>> >>> root 70193 0.0 0.1 2128 1396 ?? Is1:34PM 0:00.00 telnetd >>> >>> remote 70971 0.0 0.0 480 296 p5 R+3:19PM 0:00.00 grep >>> telnet >>> >>> % >>> >>> >>> - Aaron >>> >>>
Re: [j-nsp] how to disconnect/kill tcp session from juniper router
Always a good reference: http://www.team-cymru.org/templates.html http://www.cymru.com/gillsr/documents/junos-template.pdf -- Hugo Slabbert | email, xmpp/jabber: h...@slabnet.com pgp key: B178313E | also on Signal On Thu 2016-Nov-24 11:07:45 +, Alexander Arseniev wrote: Hello, Someone is brute-forcing Your router password, and that is very common nowadays. Good loopback filter would prevent this. In addition: 1/ You can only do "request system logout" for sessions that passed authentication+login+got TTY assigned. If You see "unsuccessful login" it means this session did not get past authentication. Unautheticated sessions got disconnected after 3 wrong password attempts, or 120 secs if there is no data flowing (from memory) 2/ Best practice is not to allow telnet at all. Use SSH instead. To disable telnet, make sure You do NOT have the "telnet" line under "[system services]" stanza. 3/ Also, You should be using: 3a/ loopback filter allowing SSH from trusted source IPs only. If You manage router via internet, and must keep remote access to it open to ANYONE that's not a good practice at all. 3b/ SSH public key authentication instead of password 3c/ backoff timer to fire after 3-5 unsuccessful login tries 3d/ inactivity timer to close hanging SSH sessions - to make sure You are not locked out of the router access because all TTYs are taken. Thanks Alex On 21/11/2016 21:29, Aaron wrote: I have an unauthorized telnet session attached to my router but it does not show up under "show system users" and they have not successfully logged so it doesn't seem that I can do the "request system logout.." thing I do however so unsuccessful login attempts in syslog How do I kill/disconnect this tcp session ? me@j1> show system connections | grep ".23 " tcp4 0 0 109.109.109.109.23 181.181.181.181.55436 ESTABLISHED tcp4 0 0 *.23 *.* LISTEN tcp4 0 0 *.6023*.* LISTEN tcp4 0 0 *.6023*.* LISTEN udp4 0 0 128.0.0.1.123 *.* udp4 0 0 *.123 *.* udp4 0 0 *.6123*.* udp4 0 0 *.6123*.* {master:0} me@j1> show system processes | grep "PID|telnet" PID TT STAT TIME COMMAND 70193 ?? Is 0:00.00 telnetd {master:0} me@j1> start shell % ps -awwux | grep telnet root 70193 0.0 0.1 2128 1396 ?? Is1:34PM 0:00.00 telnetd remote 70971 0.0 0.0 480 296 p5 R+3:19PM 0:00.00 grep telnet % - Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp signature.asc Description: Digital signature ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] how to disconnect/kill tcp session from juniper router
Hello, Someone is brute-forcing Your router password, and that is very common nowadays. Good loopback filter would prevent this. In addition: 1/ You can only do "request system logout" for sessions that passed authentication+login+got TTY assigned. If You see "unsuccessful login" it means this session did not get past authentication. Unautheticated sessions got disconnected after 3 wrong password attempts, or 120 secs if there is no data flowing (from memory) 2/ Best practice is not to allow telnet at all. Use SSH instead. To disable telnet, make sure You do NOT have the "telnet" line under "[system services]" stanza. 3/ Also, You should be using: 3a/ loopback filter allowing SSH from trusted source IPs only. If You manage router via internet, and must keep remote access to it open to ANYONE that's not a good practice at all. 3b/ SSH public key authentication instead of password 3c/ backoff timer to fire after 3-5 unsuccessful login tries 3d/ inactivity timer to close hanging SSH sessions - to make sure You are not locked out of the router access because all TTYs are taken. Thanks Alex On 21/11/2016 21:29, Aaron wrote: I have an unauthorized telnet session attached to my router but it does not show up under "show system users" and they have not successfully logged so it doesn't seem that I can do the "request system logout.." thing I do however so unsuccessful login attempts in syslog How do I kill/disconnect this tcp session ? me@j1> show system connections | grep ".23 " tcp4 0 0 109.109.109.109.23 181.181.181.181.55436 ESTABLISHED tcp4 0 0 *.23 *.* LISTEN tcp4 0 0 *.6023*.* LISTEN tcp4 0 0 *.6023*.* LISTEN udp4 0 0 128.0.0.1.123 *.* udp4 0 0 *.123 *.* udp4 0 0 *.6123*.* udp4 0 0 *.6123*.* {master:0} me@j1> show system processes | grep "PID|telnet" PID TT STAT TIME COMMAND 70193 ?? Is 0:00.00 telnetd {master:0} me@j1> start shell % ps -awwux | grep telnet root 70193 0.0 0.1 2128 1396 ?? Is1:34PM 0:00.00 telnetd remote 70971 0.0 0.0 480 296 p5 R+3:19PM 0:00.00 grep telnet % - Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp