Re: [j-nsp] SSH access and not working firewall policy
On Sun, Aug 12, 2012 at 10:46 PM, Alex Arseniev wrote:
> Try this:
>
>from {
>source-prefix-list { ### <=== must be source
[...]
>
> "prefix-list" checks if either dst.IP or src.IP of incoming packet matches.
> If your box' interface IP is in MGMT prefix-list, then every SSH brute force
> attempt is a match since it most likely targets your interface IP.
Hi Alex
Thanks. This was this!
Now ACL works perfect.
Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SSH access and not working firewall policy
On Mon, Aug 13, 2012 at 6:34 AM, Chris Kawchuk wrote: > One possibility - They're coming from inside your own network =) > > Whats the source IPs on the attempts, and what device is this (EX? MX? J? > QFabric?) Platform is MX Source IPs are for example from China, so at all not my inside network - but here is not different for me if packets coming from inside our outside part of network. These source IPs are not in MGMT prefix-list Rob ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SSH access and not working firewall policy
One possibility - They're coming from inside your own network =) Whats the source IPs on the attempts, and what device is this (EX? MX? J? QFabric?) - CK. On 2012-08-13, at 5:07 AM, Robert Hass wrote: > Hi > > I have Juniper running 10.4R7 with RE filter applied to lo.0 but I > still see bruteforce attacks to my SSH in log messages. > > . ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SSH access and not working firewall policy
On Aug 12, 2012, at 3:07 PM, Robert Hass wrote:
> Hi
>
> I have Juniper running 10.4R7 with RE filter applied to lo.0 but I
> still see bruteforce attacks to my SSH in log messages.
>
> I tested policy from hosts not existing in MGMT ACL - I cannot connect
> to SSH, so how these attackers can connect to my SSH ?
> Any hints ? Maybe I also have to filter more ports ?
>
> Rob
>
> My configuration:
>
> lo0 {
>unit 0 {
>family inet {
>no-redirects;
>primary;
>filter {
>input RE;
>}
>address 10.0.0.1/32
>}
>
>}
> }
> policy-options {
>prefix-list
>MGMT {
>10.3.0.0/24;
>10.4.0.0/24;
>}
>}
> }
> filter RE {
>term cli_permit {
>from {
>prefix-list {
>MGMT;
>}
>protocol tcp;
>destination-port [ telnet ssh ];
>}
>then {
>count cli_permit;
>accept;
>}
>}
>term cli_deny {
>from {
>protocol tcp;
>destination-port [ telnet ssh ];
>}
>then {
>count cli_deny;
>log;
>discard;
>}
>}
>term default_action {
>then accept;
>}
> }
> ___
For some reason (have to admit I forget exactly why) I ended up doing it this
way on 9.6, not sure if it is helpful for 10.4 or not.
filter protect-router {
term 10-ssh {
from {
source-address {
0.0.0.0/0;
}
source-prefix-list {
trusted-networks except;
}
protocol tcp;
destination-port ssh;
}
then {
discard;
}
}
}
George Carey
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SSH access and not working firewall policy
Hi
I have Juniper running 10.4R7 with RE filter applied to lo.0 but I
still see bruteforce attacks to my SSH in log messages.
I tested policy from hosts not existing in MGMT ACL - I cannot connect
to SSH, so how these attackers can connect to my SSH ?
Any hints ? Maybe I also have to filter more ports ?
Rob
My configuration:
lo0 {
unit 0 {
family inet {
no-redirects;
primary;
filter {
input RE;
}
address 10.0.0.1/32
}
}
}
policy-options {
prefix-list
MGMT {
10.3.0.0/24;
10.4.0.0/24;
}
}
}
filter RE {
term cli_permit {
from {
prefix-list {
MGMT;
}
protocol tcp;
destination-port [ telnet ssh ];
}
then {
count cli_permit;
accept;
}
}
term cli_deny {
from {
protocol tcp;
destination-port [ telnet ssh ];
}
then {
count cli_deny;
log;
discard;
}
}
term default_action {
then accept;
}
}
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
