Re: [j-nsp] how to disconnect/kill tcp session from juniper router

2016-11-24 Thread Phil Shafer 
Alexander Arseniev writes:
>Someone is brute-forcing Your router password, and that is very common 
>nowadays. Good loopback filter would prevent this.

Amen to this and all your other points, esp re: avoiding telnet in
favor of ssh.

Also you can use "system services ssh no-passwords;" to prevent
password use under ssh, but this _requires_ that you have ssh keys
installed for every user under [system login user authentication].
You'll still get connections, which can be blocked using filters,
but you can sleep better at night knowing that brute force password
attacks will fail (after you delete telnet/ftp/etc).  Passwords
continue to function on the console and for non-ssh protocols.

Thanks,
 Phil
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Using multiple sources for flows on Logical Systems

2016-11-24 Thread Alexander Arseniev 

Hello,

What happens if You configure "inline-jflow source-address 2.2.2.2" 
instead of 1.1.1.1?


I bet Your jflow source IP would become 2.2.2.2 and since 2.2.2.2 exists 
in the LS LAB, your collector can recognise these packets carry tfc 
stats from LS LAB.


By the same token, You have to have 1 jflow instance per LS.

Or do I miss something here?

Thx

Alex


On 24/11/2016 19:21, Epafras R Schaden wrote:


Hi Alex,

I tried your suggestion on LAB, but unfortunately it does not work. It 
appears that the configuration that sets the source-address on the 
packets outgoing the router to the flow server is the in-line jflow 
source configuration, and it cannot be configured for each instance.


I’m attaching my configuration to share. If you and other guys have 
any suggestion I’ll be glad to test.


Thanks

Epafras Schaden

[edit]

epafras@PE1# show services

flow-monitoring {

version-ipfix {

 template flow {

flow-active-timeout 60;

flow-inactive-timeout 30;

template-refresh-rate {

seconds 10;

}

option-refresh-rate {

seconds 10;

}

 ipv4-template;

}

}

}

[edit]

epafras@PE1# show forwarding-options

sampling {

input {

rate 1000;

}

instance {

LAB {

input {

rate 1000;

run-length 0;

}

family inet {

output {

flow-inactive-timeout 15;

flow-active-timeout 60;

flow-server 50.0.0.254 {

port 63636;

version-ipfix {

template {

flow;

}

}

}

inline-jflow {

source-address 1.1.1.1;

}

}

}

}

}

}

[edit]

epafras@PE1#

[edit]

epafras@PE1# show interfaces lo0

unit 0 {

family inet {

address 1.1.1.1/32;

address 2.2.2.2/32;

}

}

epafras@PE1# top show logical-systems FLOW

interfaces {

ge-0/0/0 {

unit 200 {

description "LS FLOW - VLAN 200";

vlan-id 200;

family inet {

sampling {

input;

  output;

}

address 200.0.0.254/24;

}

}

}

ge-0/0/1 {

unit 201 {

description "LS FLOW - VLAN 201";

vlan-id 201;

family inet {

sampling {

input;

output;

}

address 201.0.0.254/24;

}

}

}

lo0 {

unit 1 {

family inet {

address 2.2.2.2/32;

}

}

}

}

forwarding-options {

sampling {

family inet {

output {

flow-server 50.0.0.254 {

port 63636;

source-address 2.2.2.2;

}

}

}

}

}

Results on FLOW SERVER. Flows from traffic passing thought L.S. FLOW

17:16:15.272367 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 445

17:16:15.273342 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 445

17:16:15.273350 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 445

17:16:15.273352 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 445

17:16:15.274376 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 445

17:16:15.274386 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 445

17:16:15.274389 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 445

17:16:15.275262 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 445

17:16:15.275268 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 445

17:16:15.275271 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 445

17:16:15.276368 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 190

17:16:15.276374 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 445

17:16:15.276376 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 445

17:16:15.277367 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 445

17:16:15.277381 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 445

17:16:15.278324 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 105

17:16:15.278333 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 445

17:16:15.279348 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 445

17:16:15.280349 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 445

17:16:15.281303 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 105

17:16:15.286309 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 105

17:16:15.288257 IP 1.1.1.1.50101 > 50.0.0.254.63636: UDP, length 105

*From: *Alexander Arseniev 
*Date: *Wednesday, 23 November 2016 11:06
*To: *Epafras R Schaden , J-NSP List 


*Subject: *Re: [j-nsp] Using multiple sources for flows on Logical Systems

Hello,

Have You tried to duplicate Your LS IP on master system lo0.0, and 
explicitly set "source-address" for each LS-mapped Jflow instance to 
be one of these duplicated IPs?


if You worry about leaking these IP to Your IGP, then JUNOS has tools 
to selectively disallow lo0.0 IP into IGP.


Thanks
Alex

On 23/11/2016 11:51, Epafras R Schaden wrote:

Hello All,

  


We have an MX480 configured to export IPFIX flows to a server. Now, we have 
created some Logical Systems on the router to provide something like a “virtual 
router” to some of our customers on this location.

  


I have now configured some of those instances to export flows to the same

Re: [j-nsp] how to disconnect/kill tcp session from juniper router

2016-11-24 Thread David Lockuan 
Hi Aaron,

When a telnet session is established, the process is not a telnetd dameon
after the process pass to cli process. You should be filter with grep
comand looking for "cli". Check my example:

***
tecnologia@MX240-2_LAB-RE0> show system users
12:28PM  up 93 days,  1:45, 6 users, load averages: 0.16, 0.08, 0.02
USER TTY  FROM  LOGIN@  IDLE WHAT
tecnologia d0 -07Nov16 16days -cli
(cli)
tecnologia p1 10.10.0.240  Wed04PM 19:26 -cli
(cli)
tecnologia p5 10.10.90.2   26Oct16 28days -cli
(cli)
tecnologia pj 10.10.90.2   12:28PM - -cli
(cli)
tecnologia qi 10.10.0.240  26Oct16 28days
telnet
tecnologia qn 10.10.0.240  26Oct16 28days -cli
(cli)

{master}
tecnologia@MX240-2_LAB-RE0> start shell
%
% ps -aux | grep cli
tecnologia 90751  0.0  0.7 30400 24536  d0  S+7Nov16   0:04.78 -cli
(cli)
tecnologia 67215  0.0  0.7 30384 24336  p1  S+4:47PM   0:00.34 -cli
(cli)
tecnologia 86298  0.0  0.7 30400 24468  p5  S+   26Oct16   0:06.88 -cli
(cli)
tecnologia 83579  0.0  0.7 30376 24312  pj  S12:28PM   0:00.09 -cli
(cli)
tecnologia 83599  0.0  0.0  2024   864  pj  R+   12:29PM   0:00.00 grep cli
tecnologia 86010  0.0  0.7 30412 24424  qi  I+   26Oct16   0:00.24 -cli
(cli)
tecnologia 86670  0.0  0.7 30408 24488  qn  S+   26Oct16   0:06.95 -cli
(cli)
% exit
exit
***

If the session don't appear with the cli command "show system users", it is
probably the process is hang in the shell.

I hope to help you.

Regards,

---
David


On Thu, Nov 24, 2016 at 11:37 AM, Hugo Slabbert  wrote:

> Always a good reference:
>
> http://www.team-cymru.org/templates.html
> http://www.cymru.com/gillsr/documents/junos-template.pdf
>
> --
> Hugo Slabbert   | email, xmpp/jabber: h...@slabnet.com
> pgp key: B178313E   | also on Signal
>
>
> On Thu 2016-Nov-24 11:07:45 +, Alexander Arseniev <
> arsen...@btinternet.com> wrote:
>
> Hello,
>>
>> Someone is brute-forcing Your router password, and that is very common
>> nowadays. Good loopback filter would prevent this.
>>
>> In addition:
>>
>> 1/ You can only do "request system logout" for sessions that passed
>> authentication+login+got TTY assigned. If You see "unsuccessful login" it
>> means this session did not get past authentication. Unautheticated sessions
>> got disconnected after 3 wrong password attempts, or 120 secs if there is
>> no data flowing (from memory)
>>
>> 2/ Best practice is not to allow telnet at all. Use SSH instead. To
>> disable telnet, make sure You do NOT have the "telnet" line under "[system
>> services]" stanza.
>>
>> 3/ Also, You should be using:
>>
>> 3a/ loopback filter allowing SSH from trusted source IPs only. If You
>> manage router via internet, and must keep remote access to it open to
>> ANYONE that's not a good practice at all.
>>
>> 3b/ SSH public key authentication instead of password
>>
>> 3c/ backoff timer to fire after 3-5 unsuccessful login tries
>>
>> 3d/ inactivity timer to close hanging SSH sessions - to make sure You are
>> not locked out of the router access because all TTYs are taken.
>>
>> Thanks
>>
>> Alex
>>
>>
>> On 21/11/2016 21:29, Aaron wrote:
>>
>>> I have an unauthorized telnet session attached to my router but it does
>>> not
>>> show up under "show system users" and they have not successfully logged
>>> so
>>> it doesn't seem that I can do the "request system logout.." thing
>>>
>>>
>>> I do however so unsuccessful login attempts in syslog
>>>
>>>
>>> How do I kill/disconnect this tcp session ?
>>>
>>>
>>> me@j1> show system connections | grep ".23 "
>>>
>>> tcp4   0  0  109.109.109.109.23
>>> 181.181.181.181.55436  ESTABLISHED
>>>
>>> tcp4   0  0  *.23  *.*
>>> LISTEN
>>>
>>> tcp4   0  0  *.6023*.*
>>> LISTEN
>>>
>>> tcp4   0  0  *.6023*.*
>>> LISTEN
>>>
>>> udp4   0  0  128.0.0.1.123 *.*
>>>
>>> udp4   0  0  *.123 *.*
>>>
>>> udp4   0  0  *.6123*.*
>>>
>>> udp4   0  0  *.6123*.*
>>>
>>>
>>>
>>> {master:0}
>>>
>>> me@j1> show system processes | grep "PID|telnet"
>>>
>>>   PID  TT  STAT  TIME COMMAND
>>>
>>> 70193  ??  Is 0:00.00 telnetd
>>>
>>>
>>>
>>> {master:0}
>>>
>>> me@j1> start shell
>>>
>>> % ps -awwux | grep telnet
>>>
>>> root   70193  0.0  0.1  2128  1396  ??  Is1:34PM   0:00.00 telnetd
>>>
>>> remote 70971  0.0  0.0   480   296  p5  R+3:19PM   0:00.00 grep
>>> telnet
>>>
>>> %
>>>
>>>
>>> - Aaron
>>>
>>>

Re: [j-nsp] how to disconnect/kill tcp session from juniper router

2016-11-24 Thread Hugo Slabbert 

Always a good reference:

http://www.team-cymru.org/templates.html
http://www.cymru.com/gillsr/documents/junos-template.pdf

--
Hugo Slabbert   | email, xmpp/jabber: h...@slabnet.com
pgp key: B178313E   | also on Signal

On Thu 2016-Nov-24 11:07:45 +, Alexander Arseniev  
wrote:


Hello,

Someone is brute-forcing Your router password, and that is very 
common nowadays. Good loopback filter would prevent this.


In addition:

1/ You can only do "request system logout" for sessions that passed 
authentication+login+got TTY assigned. If You see "unsuccessful 
login" it means this session did not get past authentication. 
Unautheticated sessions got disconnected after 3 wrong password 
attempts, or 120 secs if there is no data flowing (from memory)


2/ Best practice is not to allow telnet at all. Use SSH instead. To 
disable telnet, make sure You do NOT have the "telnet" line under 
"[system services]" stanza.


3/ Also, You should be using:

3a/ loopback filter allowing SSH from trusted source IPs only. If You 
manage router via internet, and must keep remote access to it open to 
ANYONE that's not a good practice at all.


3b/ SSH public key authentication instead of password

3c/ backoff timer to fire after 3-5 unsuccessful login tries

3d/ inactivity timer to close hanging SSH sessions - to make sure You 
are not locked out of the router access because all TTYs are taken.


Thanks

Alex


On 21/11/2016 21:29, Aaron wrote:

I have an unauthorized telnet session attached to my router but it does not
show up under "show system users" and they have not successfully logged so
it doesn't seem that I can do the "request system logout.." thing


I do however so unsuccessful login attempts in syslog


How do I kill/disconnect this tcp session ?


me@j1> show system connections | grep ".23 "

tcp4   0  0  109.109.109.109.23
181.181.181.181.55436  ESTABLISHED

tcp4   0  0  *.23  *.*
LISTEN

tcp4   0  0  *.6023*.*
LISTEN

tcp4   0  0  *.6023*.*
LISTEN

udp4   0  0  128.0.0.1.123 *.*

udp4   0  0  *.123 *.*

udp4   0  0  *.6123*.*

udp4   0  0  *.6123*.*



{master:0}

me@j1> show system processes | grep "PID|telnet"

  PID  TT  STAT  TIME COMMAND

70193  ??  Is 0:00.00 telnetd



{master:0}

me@j1> start shell

% ps -awwux | grep telnet

root   70193  0.0  0.1  2128  1396  ??  Is1:34PM   0:00.00 telnetd

remote 70971  0.0  0.0   480   296  p5  R+3:19PM   0:00.00 grep telnet

%


- Aaron

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


signature.asc
Description: Digital signature
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] how to disconnect/kill tcp session from juniper router

2016-11-24 Thread Alexander Arseniev 

Hello,

Someone is brute-forcing Your router password, and that is very common 
nowadays. Good loopback filter would prevent this.


In addition:

1/ You can only do "request system logout" for sessions that passed 
authentication+login+got TTY assigned. If You see "unsuccessful login" 
it means this session did not get past authentication. Unautheticated 
sessions got disconnected after 3 wrong password attempts, or 120 secs 
if there is no data flowing (from memory)


2/ Best practice is not to allow telnet at all. Use SSH instead. To 
disable telnet, make sure You do NOT have the "telnet" line under 
"[system services]" stanza.


3/ Also, You should be using:

3a/ loopback filter allowing SSH from trusted source IPs only. If You 
manage router via internet, and must keep remote access to it open to 
ANYONE that's not a good practice at all.


3b/ SSH public key authentication instead of password

3c/ backoff timer to fire after 3-5 unsuccessful login tries

3d/ inactivity timer to close hanging SSH sessions - to make sure You 
are not locked out of the router access because all TTYs are taken.


Thanks

Alex


On 21/11/2016 21:29, Aaron wrote:

I have an unauthorized telnet session attached to my router but it does not
show up under "show system users" and they have not successfully logged so
it doesn't seem that I can do the "request system logout.." thing

  


I do however so unsuccessful login attempts in syslog

  


How do I kill/disconnect this tcp session ?

  


me@j1> show system connections | grep ".23 "

tcp4   0  0  109.109.109.109.23
181.181.181.181.55436  ESTABLISHED

tcp4   0  0  *.23  *.*
LISTEN

tcp4   0  0  *.6023*.*
LISTEN

tcp4   0  0  *.6023*.*
LISTEN

udp4   0  0  128.0.0.1.123 *.*

udp4   0  0  *.123 *.*

udp4   0  0  *.6123*.*

udp4   0  0  *.6123*.*

  

  


{master:0}

me@j1> show system processes | grep "PID|telnet"

   PID  TT  STAT  TIME COMMAND

70193  ??  Is 0:00.00 telnetd

  

  


{master:0}

me@j1> start shell

% ps -awwux | grep telnet

root   70193  0.0  0.1  2128  1396  ??  Is1:34PM   0:00.00 telnetd

remote 70971  0.0  0.0   480   296  p5  R+3:19PM   0:00.00 grep telnet

%

  


- Aaron

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp