On Aug 12, 2012, at 3:07 PM, Robert Hass <robh...@gmail.com> wrote: > Hi > > I have Juniper running 10.4R7 with RE filter applied to lo.0 but I > still see bruteforce attacks to my SSH in log messages. > > I tested policy from hosts not existing in MGMT ACL - I cannot connect > to SSH, so how these attackers can connect to my SSH ? > Any hints ? Maybe I also have to filter more ports ? > > Rob > > My configuration: > > lo0 { > unit 0 { > family inet { > no-redirects; > primary; > filter { > input RE; > } > address 10.0.0.1/32 > } > > } > } > policy-options { > prefix-list > MGMT { > 10.3.0.0/24; > 10.4.0.0/24; > } > } > } > filter RE { > term cli_permit { > from { > prefix-list { > MGMT; > } > protocol tcp; > destination-port [ telnet ssh ]; > } > then { > count cli_permit; > accept; > } > } > term cli_deny { > from { > protocol tcp; > destination-port [ telnet ssh ]; > } > then { > count cli_deny; > log; > discard; > } > } > term default_action { > then accept; > } > } > _______________________________________________
For some reason (have to admit I forget exactly why) I ended up doing it this way on 9.6, not sure if it is helpful for 10.4 or not. filter protect-router { term 10-ssh { from { source-address { 0.0.0.0/0; } source-prefix-list { trusted-networks except; } protocol tcp; destination-port ssh; } then { discard; } } } George Carey _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp