Re: [j-nsp] SSH access and not working firewall policy
On Sun, Aug 12, 2012 at 10:46 PM, Alex Arseniev wrote: > Try this: > >from { >source-prefix-list { ### <=== must be source [...] > > "prefix-list" checks if either dst.IP or src.IP of incoming packet matches. > If your box' interface IP is in MGMT prefix-list, then every SSH brute force > attempt is a match since it most likely targets your interface IP. Hi Alex Thanks. This was this! Now ACL works perfect. Rob ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SSH access and not working firewall policy
On Mon, Aug 13, 2012 at 6:34 AM, Chris Kawchuk wrote: > One possibility - They're coming from inside your own network =) > > Whats the source IPs on the attempts, and what device is this (EX? MX? J? > QFabric?) Platform is MX Source IPs are for example from China, so at all not my inside network - but here is not different for me if packets coming from inside our outside part of network. These source IPs are not in MGMT prefix-list Rob ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SSH access and not working firewall policy
One possibility - They're coming from inside your own network =) Whats the source IPs on the attempts, and what device is this (EX? MX? J? QFabric?) - CK. On 2012-08-13, at 5:07 AM, Robert Hass wrote: > Hi > > I have Juniper running 10.4R7 with RE filter applied to lo.0 but I > still see bruteforce attacks to my SSH in log messages. > > . ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SSH access and not working firewall policy
On Aug 12, 2012, at 3:07 PM, Robert Hass wrote: > Hi > > I have Juniper running 10.4R7 with RE filter applied to lo.0 but I > still see bruteforce attacks to my SSH in log messages. > > I tested policy from hosts not existing in MGMT ACL - I cannot connect > to SSH, so how these attackers can connect to my SSH ? > Any hints ? Maybe I also have to filter more ports ? > > Rob > > My configuration: > > lo0 { >unit 0 { >family inet { >no-redirects; >primary; >filter { >input RE; >} >address 10.0.0.1/32 >} > >} > } > policy-options { >prefix-list >MGMT { >10.3.0.0/24; >10.4.0.0/24; >} >} > } > filter RE { >term cli_permit { >from { >prefix-list { >MGMT; >} >protocol tcp; >destination-port [ telnet ssh ]; >} >then { >count cli_permit; >accept; >} >} >term cli_deny { >from { >protocol tcp; >destination-port [ telnet ssh ]; >} >then { >count cli_deny; >log; >discard; >} >} >term default_action { >then accept; >} > } > ___ For some reason (have to admit I forget exactly why) I ended up doing it this way on 9.6, not sure if it is helpful for 10.4 or not. filter protect-router { term 10-ssh { from { source-address { 0.0.0.0/0; } source-prefix-list { trusted-networks except; } protocol tcp; destination-port ssh; } then { discard; } } } George Carey ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SSH access and not working firewall policy
Hi I have Juniper running 10.4R7 with RE filter applied to lo.0 but I still see bruteforce attacks to my SSH in log messages. I tested policy from hosts not existing in MGMT ACL - I cannot connect to SSH, so how these attackers can connect to my SSH ? Any hints ? Maybe I also have to filter more ports ? Rob My configuration: lo0 { unit 0 { family inet { no-redirects; primary; filter { input RE; } address 10.0.0.1/32 } } } policy-options { prefix-list MGMT { 10.3.0.0/24; 10.4.0.0/24; } } } filter RE { term cli_permit { from { prefix-list { MGMT; } protocol tcp; destination-port [ telnet ssh ]; } then { count cli_permit; accept; } } term cli_deny { from { protocol tcp; destination-port [ telnet ssh ]; } then { count cli_deny; log; discard; } } term default_action { then accept; } } ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp