[j-nsp] SSH access and not working firewall policy
George Carey
george at montco.net
Sun Aug 12 18:25:09 EDT 2012
On Aug 12, 2012, at 3:07 PM, Robert Hass <robhass at gmail.com> wrote:
> Hi
>
> I have Juniper running 10.4R7 with RE filter applied to lo.0 but I
> still see bruteforce attacks to my SSH in log messages.
>
> I tested policy from hosts not existing in MGMT ACL - I cannot connect
> to SSH, so how these attackers can connect to my SSH ?
> Any hints ? Maybe I also have to filter more ports ?
>
> Rob
>
> My configuration:
>
> lo0 {
> unit 0 {
> family inet {
> no-redirects;
> primary;
> filter {
> input RE;
> }
> address 10.0.0.1/32
> }
>
> }
> }
> policy-options {
> prefix-list
> MGMT {
> 10.3.0.0/24;
> 10.4.0.0/24;
> }
> }
> }
> filter RE {
> term cli_permit {
> from {
> prefix-list {
> MGMT;
> }
> protocol tcp;
> destination-port [ telnet ssh ];
> }
> then {
> count cli_permit;
> accept;
> }
> }
> term cli_deny {
> from {
> protocol tcp;
> destination-port [ telnet ssh ];
> }
> then {
> count cli_deny;
> log;
> discard;
> }
> }
> term default_action {
> then accept;
> }
> }
> _______________________________________________
For some reason (have to admit I forget exactly why) I ended up doing it this way on 9.6, not sure if it is helpful for 10.4 or not.
filter protect-router {
term 10-ssh {
from {
source-address {
0.0.0.0/0;
}
source-prefix-list {
trusted-networks except;
}
protocol tcp;
destination-port ssh;
}
then {
discard;
}
}
}
George Carey
More information about the juniper-nsp
mailing list