Re: [j-nsp] sshd log messages !!
Model: j6350 JUNOS Software Release [10.4R4.5] Following is the current configuration that we have for ssh:- set system login user xxx authentication ssh-rsa ssh-rsa B set system services ssh set security ssh-known-hosts host 10.x.x.x rsa-key set security ssh-known-hosts host 10.x.x.x rsa-key set firewall family inet filter Access term AllowSSH from port ssh set firewall family inet filter Access term DenySSH from port ssh Following firewall filter is in place:- set interfaces ge-0/0/1 unit 0 family inet filter input Access set firewall family inet filter Access term AllowSSH from address X.X.X.X/16 set firewall family inet filter Access term AllowSSH from address X.X.X.X/16 set firewall family inet filter Access term AllowSSH from address X.X.X.X/16 set firewall family inet filter Access term AllowSSH from address X.X.X.X/16 set firewall family inet filter Access term AllowSSH from protocol tcp set firewall family inet filter Access term AllowSSH from port ssh set firewall family inet filter Access term AllowSSH then accept set firewall family inet filter Access term DenySSH from protocol tcp set firewall family inet filter Access term DenySSH from port ssh set firewall family inet filter Access term DenySSH then reject set firewall family inet filter Access term default-term then accept I am now going to add loopback address as well:- set interfaces lo0 unit 0 family inet filter input Access Important thing is that all these alerst started when we applied the filter, may be something wrong with the ocnfiguration that we have applied. Following is the vulnerability that we wanted to address:- http://kb.juniper.net/InfoCenter/index?page=contentid=JSA10612 Thanks all for your detailed response. On Thursday, 27 February 2014, 7:11, Mark Tinka mark.ti...@seacom.mu wrote: On Thursday, February 27, 2014 01:14:26 AM Rodrigo Augusto wrote: Protect your RE. Put a filter on your loopback and permit only your netwoks to access this port(22). Yep. You really shouldn't let your SSH daemon have easy access to the world. Mark. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] sshd log messages !!
On Thursday, February 27, 2014 02:13:42 PM Harri Makela wrote: set interfaces ge-0/0/1 unit 0 family inet filter input Access Your firewall needs to be configured on the Loopback interface, as that represents the router's control plane. set interfaces lo0 unit 0 family inet filter input Access Yes, this should fix things. Mark. signature.asc Description: This is a digitally signed message part. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] sshd log messages !!
Ben Dale writes: set system services ssh port 1024-65535 ... maybe an allow-sources might be a bit more useful in this instance? Less sophisticate d users tend to shoot themselves in the foot with firewall filters quite regularly. Would a firewall filter on lo0 be a better answer for this? Dropping packets in hardware prevents intruders having any impact on the RE. Thanks, Phil ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] sshd log messages !!
set firewall family inet filter Access term AllowSSH from address X.X.X.X/16 If X.X.X.X/16 includes any interface address of this router, then this filter is NOT going to stop attacks, no matter where applied. You should be much more specific in writing the match conditions. Below is an example: X.X.X.X/16 is the trusted hosts IP block, allowed to SSH _TO_ this router set firewall family inet filter Access term AllowInboundSSH from source-address X.X.X.X/16 set firewall family inet filter Access term AllowInboundSSH from protocol tcp set firewall family inet filter Access term AllowInboundSSH from destination-port ssh set firewall family inet filter Access term AllowInboundSSH then accept Y.Y.Y.Y/16 is the another trusted hosts IP block, allowed to be SSHed to _FROM_ this router set firewall family inet filter Access term AllowOutboundSSHReturn from source-address Y.Y.Y.Y/16 set firewall family inet filter Access term AllowOutboundSSHReturn from protocol tcp set firewall family inet filter Access term AllowOutboundSSHReturn from tcp-established set firewall family inet filter Access term AllowOutboundSSHReturn from source-port ssh set firewall family inet filter Access term AllowOutboundSSHReturn then accept HTH Thanks Alex On 27/02/2014 12:13, Harri Makela wrote: Model: j6350 JUNOS Software Release [10.4R4.5] Following is the current configuration that we have for ssh:- set system login user xxx authentication ssh-rsa ssh-rsa B set system services ssh set security ssh-known-hosts host 10.x.x.x rsa-key set security ssh-known-hosts host 10.x.x.x rsa-key set firewall family inet filter Access term AllowSSH from port ssh set firewall family inet filter Access term DenySSH from port ssh Following firewall filter is in place:- set interfaces ge-0/0/1 unit 0 family inet filter input Access set firewall family inet filter Access term AllowSSH from address X.X.X.X/16 set firewall family inet filter Access term AllowSSH from address X.X.X.X/16 set firewall family inet filter Access term AllowSSH from address X.X.X.X/16 set firewall family inet filter Access term AllowSSH from address X.X.X.X/16 set firewall family inet filter Access term AllowSSH from protocol tcp set firewall family inet filter Access term AllowSSH from port ssh set firewall family inet filter Access term AllowSSH then accept set firewall family inet filter Access term DenySSH from protocol tcp set firewall family inet filter Access term DenySSH from port ssh set firewall family inet filter Access term DenySSH then reject set firewall family inet filter Access term default-term then accept I am now going to add loopback address as well:- set interfaces lo0 unit 0 family inet filter input Access Important thing is that all these alerst started when we applied the filter, may be something wrong with the ocnfiguration that we have applied. Following is the vulnerability that we wanted to address:- http://kb.juniper.net/InfoCenter/index?page=contentid=JSA10612 Thanks all for your detailed response. On Thursday, 27 February 2014, 7:11, Mark Tinka mark.ti...@seacom.mu wrote: On Thursday, February 27, 2014 01:14:26 AM Rodrigo Augusto wrote: Protect your RE. Put a filter on your loopback and permit only your netwoks to access this port(22). Yep. You really shouldn't let your SSH daemon have easy access to the world. Mark. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] sshd log messages !!
The filter the OP posted
set firewall family inet filter Access term AllowSSH from address X.X.X.X/16
set firewall family inet filter Access term AllowSSH from address X.X.X.X/16
set firewall family inet filter Access term AllowSSH from address X.X.X.X/16
set firewall family inet filter Access term AllowSSH from address X.X.X.X/16
set firewall family inet filter Access term AllowSSH from protocol tcp
set firewall family inet filter Access term AllowSSH from port ssh
set firewall family inet filter Access term AllowSSH then accept
- matches the following combo:
( { X.X.X.X/16 source, any destination } OR { any source, X.X.X.X/16
destination} )
AND
( { any src.tcp.port, 22 } OR { 22, any dst.tcp.port} )
Which means that if X.X.X.X/16 includes any local IP address, then any
host on internet can send SSH packets to this router.
Hope this makes sense.
HTH
Thanks
Alex
On 27/02/2014 15:10, Andrew Tutten wrote:
Alex,
Can you elaborate on a situation where if you have part of your source
address filter on your interface why it won't stop attacks? Is it if
SSH traffic is passing through that interface to get to the router? I
have had problems with still seeing logins from addresses outside the
filter on mine.
Thanks.
On Thu, Feb 27, 2014 at 7:44 AM, Alex Arseniev
arsen...@btinternet.com mailto:arsen...@btinternet.com wrote:
set firewall family inet filter Access term AllowSSH from address
X.X.X.X/16
If X.X.X.X/16 includes any interface address of this router, then
this filter is NOT going to stop attacks, no matter where applied.
You should be much more specific in writing the match conditions.
Below is an example:
X.X.X.X/16 is the trusted hosts IP block, allowed to SSH
_TO_ this router
set firewall family inet filter Access term AllowInboundSSH from
source-address X.X.X.X/16
set firewall family inet filter Access term AllowInboundSSH from
protocol tcp
set firewall family inet filter Access term AllowInboundSSH from
destination-port ssh
set firewall family inet filter Access term AllowInboundSSH then
accept
Y.Y.Y.Y/16 is the another trusted hosts IP block, allowed
to be SSHed to _FROM_ this router
set firewall family inet filter Access term AllowOutboundSSHReturn
from source-address Y.Y.Y.Y/16
set firewall family inet filter Access term AllowOutboundSSHReturn
from protocol tcp
set firewall family inet filter Access term AllowOutboundSSHReturn
from tcp-established
set firewall family inet filter Access term AllowOutboundSSHReturn
from source-port ssh
set firewall family inet filter Access term AllowOutboundSSHReturn
then accept
HTH
Thanks
Alex
On 27/02/2014 12:13, Harri Makela wrote:
Model: j6350
JUNOS Software Release [10.4R4.5]
Following is the current configuration that we have for ssh:-
set system login user xxx authentication ssh-rsa ssh-rsa B
set system services ssh
set security ssh-known-hosts host 10.x.x.x rsa-key
set security ssh-known-hosts host 10.x.x.x rsa-key
set firewall family inet filter Access term AllowSSH from port ssh
set firewall family inet filter Access term DenySSH from port ssh
Following firewall filter is in place:-
set interfaces ge-0/0/1 unit 0 family inet filter input Access
set firewall family inet filter Access term AllowSSH from
address X.X.X.X/16
set firewall family inet filter Access term AllowSSH from
address X.X.X.X/16
set firewall family inet filter Access term AllowSSH from
address X.X.X.X/16
set firewall family inet filter Access term AllowSSH from
address X.X.X.X/16
set firewall family inet filter Access term AllowSSH from
protocol tcp
set firewall family inet filter Access term AllowSSH from port ssh
set firewall family inet filter Access term AllowSSH then accept
set firewall family inet filter Access term DenySSH from
protocol tcp
set firewall family inet filter Access term DenySSH from port ssh
set firewall family inet filter Access term DenySSH then reject
set firewall family inet filter Access term default-term then
accept
I am now going to add loopback address as well:-
set interfaces lo0 unit 0 family inet filter input Access
Important thing is that all these alerst started when we
applied the filter, may be something wrong with the
ocnfiguration that we have applied.
Following is the vulnerability that we wanted to address:-
http://kb.juniper.net/InfoCenter/index?page=contentid=JSA10612
Thanks all for your detailed response.
On Thursday, 27 February 2014, 7:11, Mark Tinka
mark.ti...@seacom.mu mailto:mark.ti...@seacom.mu wrote:
On Thursday, February 27, 2014
[j-nsp] sshd log messages !!
Hi There I am constantly getting these log messages for last few days:- sshd[21015]: Failed password for root from X.X.103.152 port 21067 ssh2 sshd[21016]: Received disconnect from X.X.103.152: 11: Normal Shutdown, Thank you for playing Are these indicating any brute-force attack ?Thanks HM On Wednesday, 26 February 2014, 21:15, juniper-nsp-requ...@puck.nether.net juniper-nsp-requ...@puck.nether.net wrote: Send juniper-nsp mailing list submissions to juniper-nsp@puck.nether.net To subscribe or unsubscribe via the World Wide Web, visit https://puck.nether.net/mailman/listinfo/juniper-nsp or, via email, send a message with subject or body 'help' to juniper-nsp-requ...@puck.nether.net You can reach the person managing the list at juniper-nsp-ow...@puck.nether.net When replying, please edit your Subject line so it is more specific than Re: Contents of juniper-nsp digest... Today's Topics: 1. Re: proposed changes to clear bgp neighbor (ryanL) 2. Re: proposed changes to clear bgp neighbor (Phil Shafer) 3. Re: proposed changes to clear bgp neighbor (Eric Van Tol) 4. Re: proposed changes to clear bgp neighbor (Jerry Dent) 5. Re: proposed changes to clear bgp neighbor (Brent Sweeny) 6. Re: proposed changes to clear bgp neighbor (Fernando Garcia Fernandez) 7. Re: proposed changes to clear bgp neighbor (ryanL) 8. Re: proposed changes to clear bgp neighbor (Jonas Frey (Probe Networks)) 9. Re: proposed changes to clear bgp neighbor (sth...@nethelp.no) -- Message: 1 Date: Wed, 26 Feb 2014 12:22:51 -0500 From: ryanL ryan.lan...@gmail.com To: p...@juniper.net Cc: Juniper for Network Service Providers juniper-nsp@puck.nether.net Subject: Re: [j-nsp] proposed changes to clear bgp neighbor Message-ID: cak_-tsayrdjhuatsnbokn2nrkcrjjgb3zwtr_cljizkuxcx...@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1 it's a nice-to-have, maybe? but this sounds more like an opportunity for you to sell some JNCIA courses. i mean, how long has junos been around now? On Wed, Feb 26, 2014 at 10:36 AM, Phil Shafer p...@juniper.net wrote: Juniper users, We've been asked to make a change the clear bgp neighbor command to make the neighbor or all argument mandatory. The root cause is the severe impact of clear bgp neighbor and the increasing accidental use of this command without a specific neighbor. In general, we avoid changing commands to add mandatory arguments, but my feeling is that the impact and severity of this specific command makes this an acceptable occasion for such a change. I'm looking for feedback about this change. My working assumption is that clear bgp neighbor is a sufficiently rare command and would not be used in automation/scripts, so the impact of making the neighbor/all argument mandatory would be minimal. Is this assumption accurate? Thanks, Phil [I've set reply-to to myself to avoid impacting the list] ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Message: 2 Date: Wed, 26 Feb 2014 13:44:42 -0500 From: Phil Shafer p...@juniper.net To: ryanL ryan.lan...@gmail.com Cc: Juniper for Network Service Providers juniper-nsp@puck.nether.net Subject: Re: [j-nsp] proposed changes to clear bgp neighbor Message-ID: 201402261844.s1qiiggl031...@idle.juniper.net Content-Type: text/plain ryanL writes: it's a nice-to-have, maybe? but this sounds more like an opportunity for you to sell some JNCIA courses. i mean, how long has junos been around now? Not selling anything; just trying to solve a problem multiple customers have reported and escalated. I'm a software developer, working on the UI code (CLI, MGD, configuration, XML API, scripting) for 17+ years. JUNOS 3.0 (the first release with the ui code) shipped during the summer of 1998, IIRC. Thanks, Phil -- Message: 3 Date: Wed, 26 Feb 2014 14:24:21 -0500 From: Eric Van Tol e...@atlantech.net To: juniper-nsp@puck.nether.net juniper-nsp@puck.nether.net Subject: Re: [j-nsp] proposed changes to clear bgp neighbor Message-ID: 2C05E949E19A9146AF7BDF9D44085B865F70CC1FB1@exchange.aoihq.local Content-Type: text/plain; charset=us-ascii it's a nice-to-have, maybe? but this sounds more like an opportunity for you to sell some JNCIA courses. i mean, how long has junos been around now? Confusing comment, since this enhancement isn't about CLI inexperience. It doesn't matter how long Junos has been around or how experienced someone is, it's still too incredibly easy to hit 'Enter' too soon and clear all your BGP neighbors by accident. I don't see a problem with adding the requirement 'all'. -evt -- Message: 4 Date: Wed, 26 Feb 2014 13:29:18 -0600 From: Jerry Dent effinjd...@gmail.com To:
Re: [j-nsp] sshd log messages !!
On Wed, Feb 26, 2014 at 02:21:46PM -0800, Harri Makela wrote: Hi There I am constantly getting these log messages for last few days:- sshd[21015]: Failed password for root from X.X.103.152 port 21067 ssh2 sshd[21016]: Received disconnect from X.X.103.152: 11: Normal Shutdown, Thank you for playing Are these indicating any brute-force attack ?Thanks HM Most likely, yes. Dermot On Wednesday, 26 February 2014, 21:15, juniper-nsp-requ...@puck.nether.net juniper-nsp-requ...@puck.nether.net wrote: Send juniper-nsp mailing list submissions to juniper-nsp@puck.nether.net To subscribe or unsubscribe via the World Wide Web, visit https://puck.nether.net/mailman/listinfo/juniper-nsp or, via email, send a message with subject or body 'help' to juniper-nsp-requ...@puck.nether.net You can reach the person managing the list at juniper-nsp-ow...@puck.nether.net When replying, please edit your Subject line so it is more specific than Re: Contents of juniper-nsp digest... Today's Topics: 1. Re: proposed changes to clear bgp neighbor (ryanL) 2. Re: proposed changes to clear bgp neighbor (Phil Shafer) 3. Re: proposed changes to clear bgp neighbor (Eric Van Tol) 4. Re: proposed changes to clear bgp neighbor (Jerry Dent) 5. Re: proposed changes to clear bgp neighbor (Brent Sweeny) 6. Re: proposed changes to clear bgp neighbor (Fernando Garcia Fernandez) 7. Re: proposed changes to clear bgp neighbor (ryanL) 8. Re: proposed changes to clear bgp neighbor (Jonas Frey (Probe Networks)) 9. Re: proposed changes to clear bgp neighbor (sth...@nethelp.no) -- Message: 1 Date: Wed, 26 Feb 2014 12:22:51 -0500 From: ryanL ryan.lan...@gmail.com To: p...@juniper.net Cc: Juniper for Network Service Providers juniper-nsp@puck.nether.net Subject: Re: [j-nsp] proposed changes to clear bgp neighbor Message-ID: cak_-tsayrdjhuatsnbokn2nrkcrjjgb3zwtr_cljizkuxcx...@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1 it's a nice-to-have, maybe? but this sounds more like an opportunity for you to sell some JNCIA courses. i mean, how long has junos been around now? On Wed, Feb 26, 2014 at 10:36 AM, Phil Shafer p...@juniper.net wrote: Juniper users, We've been asked to make a change the clear bgp neighbor command to make the neighbor or all argument mandatory. The root cause is the severe impact of clear bgp neighbor and the increasing accidental use of this command without a specific neighbor. In general, we avoid changing commands to add mandatory arguments, but my feeling is that the impact and severity of this specific command makes this an acceptable occasion for such a change. I'm looking for feedback about this change. My working assumption is that clear bgp neighbor is a sufficiently rare command and would not be used in automation/scripts, so the impact of making the neighbor/all argument mandatory would be minimal. Is this assumption accurate? Thanks, Phil [I've set reply-to to myself to avoid impacting the list] ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Message: 2 Date: Wed, 26 Feb 2014 13:44:42 -0500 From: Phil Shafer p...@juniper.net To: ryanL ryan.lan...@gmail.com Cc: Juniper for Network Service Providers juniper-nsp@puck.nether.net Subject: Re: [j-nsp] proposed changes to clear bgp neighbor Message-ID: 201402261844.s1qiiggl031...@idle.juniper.net Content-Type: text/plain ryanL writes: it's a nice-to-have, maybe? but this sounds more like an opportunity for you to sell some JNCIA courses. i mean, how long has junos been around now? Not selling anything; just trying to solve a problem multiple customers have reported and escalated. I'm a software developer, working on the UI code (CLI, MGD, configuration, XML API, scripting) for 17+ years. JUNOS 3.0 (the first release with the ui code) shipped during the summer of 1998, IIRC. Thanks, Phil -- Message: 3 Date: Wed, 26 Feb 2014 14:24:21 -0500 From: Eric Van Tol e...@atlantech.net To: juniper-nsp@puck.nether.net juniper-nsp@puck.nether.net Subject: Re: [j-nsp] proposed changes to clear bgp neighbor Message-ID: 2C05E949E19A9146AF7BDF9D44085B865F70CC1FB1@exchange.aoihq.local Content-Type: text/plain; charset=us-ascii it's a nice-to-have, maybe? but this sounds more like an opportunity for you to sell some JNCIA courses. i mean, how long has junos been around now? Confusing comment, since this enhancement isn't about CLI inexperience. It doesn't matter how long Junos has been around or how experienced someone is, it's still too incredibly easy to hit 'Enter' too soon and
Re: [j-nsp] sshd log messages !!
Protect your RE. Put a filter on your loopback and permit only your netwoks to access this port(22). Enviado via iPhone Grupo Connectoway Em 26/02/2014, às 19:21, Harri Makela harri_mak...@yahoo.com escreveu: Hi There I am constantly getting these log messages for last few days:- sshd[21015]: Failed password for root from X.X.103.152 port 21067 ssh2 sshd[21016]: Received disconnect from X.X.103.152: 11: Normal Shutdown, Thank you for playing Are these indicating any brute-force attack ?Thanks HM On Wednesday, 26 February 2014, 21:15, juniper-nsp-requ...@puck.nether.net juniper-nsp-requ...@puck.nether.net wrote: Send juniper-nsp mailing list submissions to juniper-nsp@puck.nether.net To subscribe or unsubscribe via the World Wide Web, visit https://puck.nether.net/mailman/listinfo/juniper-nsp or, via email, send a message with subject or body 'help' to juniper-nsp-requ...@puck.nether.net You can reach the person managing the list at juniper-nsp-ow...@puck.nether.net When replying, please edit your Subject line so it is more specific than Re: Contents of juniper-nsp digest... Today's Topics: 1. Re: proposed changes to clear bgp neighbor (ryanL) 2. Re: proposed changes to clear bgp neighbor (Phil Shafer) 3. Re: proposed changes to clear bgp neighbor (Eric Van Tol) 4. Re: proposed changes to clear bgp neighbor (Jerry Dent) 5. Re: proposed changes to clear bgp neighbor (Brent Sweeny) 6. Re: proposed changes to clear bgp neighbor (Fernando Garcia Fernandez) 7. Re: proposed changes to clear bgp neighbor (ryanL) 8. Re: proposed changes to clear bgp neighbor (Jonas Frey (Probe Networks)) 9. Re: proposed changes to clear bgp neighbor (sth...@nethelp.no) -- Message: 1 Date: Wed, 26 Feb 2014 12:22:51 -0500 From: ryanL ryan.lan...@gmail.com To: p...@juniper.net Cc: Juniper for Network Service Providers juniper-nsp@puck.nether.net Subject: Re: [j-nsp] proposed changes to clear bgp neighbor Message-ID: cak_-tsayrdjhuatsnbokn2nrkcrjjgb3zwtr_cljizkuxcx...@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1 it's a nice-to-have, maybe? but this sounds more like an opportunity for you to sell some JNCIA courses. i mean, how long has junos been around now? On Wed, Feb 26, 2014 at 10:36 AM, Phil Shafer p...@juniper.net wrote: Juniper users, We've been asked to make a change the clear bgp neighbor command to make the neighbor or all argument mandatory. The root cause is the severe impact of clear bgp neighbor and the increasing accidental use of this command without a specific neighbor. In general, we avoid changing commands to add mandatory arguments, but my feeling is that the impact and severity of this specific command makes this an acceptable occasion for such a change. I'm looking for feedback about this change. My working assumption is that clear bgp neighbor is a sufficiently rare command and would not be used in automation/scripts, so the impact of making the neighbor/all argument mandatory would be minimal. Is this assumption accurate? Thanks, Phil [I've set reply-to to myself to avoid impacting the list] ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Message: 2 Date: Wed, 26 Feb 2014 13:44:42 -0500 From: Phil Shafer p...@juniper.net To: ryanL ryan.lan...@gmail.com Cc: Juniper for Network Service Providers juniper-nsp@puck.nether.net Subject: Re: [j-nsp] proposed changes to clear bgp neighbor Message-ID: 201402261844.s1qiiggl031...@idle.juniper.net Content-Type: text/plain ryanL writes: it's a nice-to-have, maybe? but this sounds more like an opportunity for you to sell some JNCIA courses. i mean, how long has junos been around now? Not selling anything; just trying to solve a problem multiple customers have reported and escalated. I'm a software developer, working on the UI code (CLI, MGD, configuration, XML API, scripting) for 17+ years. JUNOS 3.0 (the first release with the ui code) shipped during the summer of 1998, IIRC. Thanks, Phil -- Message: 3 Date: Wed, 26 Feb 2014 14:24:21 -0500 From: Eric Van Tol e...@atlantech.net To: juniper-nsp@puck.nether.net juniper-nsp@puck.nether.net Subject: Re: [j-nsp] proposed changes to clear bgp neighbor Message-ID: 2C05E949E19A9146AF7BDF9D44085B865F70CC1FB1@exchange.aoihq.local Content-Type: text/plain; charset=us-ascii it's a nice-to-have, maybe? but this sounds more like an opportunity for you to sell some JNCIA courses. i mean, how long has junos been around now? Confusing comment, since this enhancement isn't about CLI inexperience. It doesn't matter how long Junos has
Re: [j-nsp] sshd log messages !!
If you're stuck with password-based login (rather than SSH keys), leave yourself one go at missing your password, then increase the backoff-factor up to 10 to put a 10-second wait for guess number 3: set system services ssh root-login deny set system login retry-options backoff-threshold 2 set system login retry-options backoff-factor 10 It won't stop a bot, but it will slow it down a bit. Phil - while you're at it with Junos enhancements - any chance of giving us a set system services ssh port 1024-65535 Yes it's security through obscurity, but it's also low hanging fruit.. Failing that, there is a: set system login deny-sources maybe an allow-sources might be a bit more useful in this instance? Less sophisticated users tend to shoot themselves in the foot with firewall filters quite regularly. Ben On 27 Feb 2014, at 8:21 am, Harri Makela harri_mak...@yahoo.com wrote: Hi There I am constantly getting these log messages for last few days:- sshd[21015]: Failed password for root from X.X.103.152 port 21067 ssh2 sshd[21016]: Received disconnect from X.X.103.152: 11: Normal Shutdown, Thank you for playing Are these indicating any brute-force attack ?Thanks HM On Wednesday, 26 February 2014, 21:15, juniper-nsp-requ...@puck.nether.net juniper-nsp-requ...@puck.nether.net wrote: Send juniper-nsp mailing list submissions to juniper-nsp@puck.nether.net To subscribe or unsubscribe via the World Wide Web, visit https://puck.nether.net/mailman/listinfo/juniper-nsp or, via email, send a message with subject or body 'help' to juniper-nsp-requ...@puck.nether.net You can reach the person managing the list at juniper-nsp-ow...@puck.nether.net When replying, please edit your Subject line so it is more specific than Re: Contents of juniper-nsp digest... Today's Topics: 1. Re: proposed changes to clear bgp neighbor (ryanL) 2. Re: proposed changes to clear bgp neighbor (Phil Shafer) 3. Re: proposed changes to clear bgp neighbor (Eric Van Tol) 4. Re: proposed changes to clear bgp neighbor (Jerry Dent) 5. Re: proposed changes to clear bgp neighbor (Brent Sweeny) 6. Re: proposed changes to clear bgp neighbor (Fernando Garcia Fernandez) 7. Re: proposed changes to clear bgp neighbor (ryanL) 8. Re: proposed changes to clear bgp neighbor (Jonas Frey (Probe Networks)) 9. Re: proposed changes to clear bgp neighbor (sth...@nethelp.no) -- Message: 1 Date: Wed, 26 Feb 2014 12:22:51 -0500 From: ryanL ryan.lan...@gmail.com To: p...@juniper.net Cc: Juniper for Network Service Providers juniper-nsp@puck.nether.net Subject: Re: [j-nsp] proposed changes to clear bgp neighbor Message-ID: cak_-tsayrdjhuatsnbokn2nrkcrjjgb3zwtr_cljizkuxcx...@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1 it's a nice-to-have, maybe? but this sounds more like an opportunity for you to sell some JNCIA courses. i mean, how long has junos been around now? On Wed, Feb 26, 2014 at 10:36 AM, Phil Shafer p...@juniper.net wrote: Juniper users, We've been asked to make a change the clear bgp neighbor command to make the neighbor or all argument mandatory. The root cause is the severe impact of clear bgp neighbor and the increasing accidental use of this command without a specific neighbor. In general, we avoid changing commands to add mandatory arguments, but my feeling is that the impact and severity of this specific command makes this an acceptable occasion for such a change. I'm looking for feedback about this change. My working assumption is that clear bgp neighbor is a sufficiently rare command and would not be used in automation/scripts, so the impact of making the neighbor/all argument mandatory would be minimal. Is this assumption accurate? Thanks, Phil [I've set reply-to to myself to avoid impacting the list] ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Message: 2 Date: Wed, 26 Feb 2014 13:44:42 -0500 From: Phil Shafer p...@juniper.net To: ryanL ryan.lan...@gmail.com Cc: Juniper for Network Service Providers juniper-nsp@puck.nether.net Subject: Re: [j-nsp] proposed changes to clear bgp neighbor Message-ID: 201402261844.s1qiiggl031...@idle.juniper.net Content-Type: text/plain ryanL writes: it's a nice-to-have, maybe? but this sounds more like an opportunity for you to sell some JNCIA courses. i mean, how long has junos been around now? Not selling anything; just trying to solve a problem multiple customers have reported and escalated. I'm a software developer, working on the UI code (CLI, MGD, configuration, XML API, scripting) for 17+ years. JUNOS 3.0 (the first release with the ui code) shipped during the
