[j-nsp] SSH access and not working firewall policy

George Carey george at montco.net
Sun Aug 12 18:25:09 EDT 2012


On Aug 12, 2012, at 3:07 PM, Robert Hass <robhass at gmail.com> wrote:

> Hi
> 
> I have Juniper running 10.4R7 with RE filter applied to lo.0 but I
> still see bruteforce attacks to my SSH in log messages.
> 
> I tested policy from hosts not existing in MGMT ACL - I cannot connect
> to SSH, so how these attackers can connect to my SSH ?
> Any hints ? Maybe I also have to filter more ports ?
> 
> Rob
> 
> My configuration:
> 
> lo0 {
>    unit 0 {
>        family inet {
>            no-redirects;
>            primary;
>            filter {
>                input RE;
>            }
>            address 10.0.0.1/32
>        }
> 
>    }
> }
> policy-options {
>    prefix-list
>        MGMT {
>            10.3.0.0/24;
>            10.4.0.0/24;
>        }
>    }
> }
> filter RE {
>    term cli_permit {
>        from {
>            prefix-list {
>                MGMT;
>            }
>            protocol tcp;
>            destination-port [ telnet ssh ];
>        }
>        then {
>            count cli_permit;
>            accept;
>        }
>    }
>    term cli_deny {
>        from {
>            protocol tcp;
>            destination-port [ telnet ssh ];
>        }
>        then {
>            count cli_deny;
>            log;
>            discard;
>        }
>    }
>    term default_action {
>        then accept;
>    }
> }
> _______________________________________________


For some reason (have to admit I forget exactly why) I ended up doing it this way on 9.6, not sure if it is helpful for 10.4 or not.

filter protect-router {
            term 10-ssh {
                from {
                    source-address {
                        0.0.0.0/0;
                    }
                    source-prefix-list {
                        trusted-networks except;
                    }
                    protocol tcp;
                    destination-port ssh;
                }
                then {
                    discard;
                }
            }
}

George Carey




More information about the juniper-nsp mailing list