[j-nsp] SSH - Firewall Filter - MX80
OBrien, Will
ObrienH at missouri.edu
Tue Jun 4 23:38:03 EDT 2013
This got me a little curious.
Most likely someone is using a crappy client that behaves oddly (or used malformed headers on purpose) - and just aren't matching the tcp port combo. I'm not a fan of the way that the stateless firewall filters are written.
A simple fix may be to not specify tcp, but just the ports you want to control. (I've used ssh over UDP before, it's somewhat hilarious.)
This is valid:
from {
destination-port ssh;
}
then {
discard;
}
I believe that a safer method is to allow traffic from your trusted networks, allow protocols that you need and NOT put the default accept on the end. I do this and haven't seen any goofy traffic. Unwanted traffic is dropped right away unless you're looking for a ping or something. There's really no need for unknowns to talk to your RE. Ever.
Will
On Jun 4, 2013, at 9:49 PM, Samol <molasian at gmail.com>
wrote:
> Dear All,
>
> We are having problems with filtering ssh access to out MX80 box. Many
> thanks in advance for your assistance.
>
> The problem is kind of weird. There are a few random IP addresses, which
> should be blocked by firewall filter, have established ssh connections to
> our MX80 while most of other IPs (our tested IP) from the Internet trying
> to ssh are silently dropped (no log) by this firewall filter on loopback 0
> interface.
>
>
> show configuration firewall family inet filter limit-mgmt-access
> term permit-ssh-ssl {
> from {
> source-address {
> E.F.G.H/20;
> }
> protocol tcp;
> destination-port [ ssh http https telnet ];
> }
> then accept;
> }
> term deny-all-other-ssl-ssh {
> from {
> protocol tcp;
> destination-port [ ssh http https telnet ];
> }
> then {
> discard;
> }
> }
> term default {
> then accept;
> }
>
> -------------------------------
>
> show configuration interfaces lo0
> unit 0 {
> family inet {
> filter {
> input limit-mgmt-access;
> }
> address W.X.Y.Z/32 {
> primary;
> preferred;
> }
> }
> }
>
> --------------------------------------
>
> Jun 4 14:48:53 R1 sshd: SSHD_LOGIN_FAILED: Login failed for user 'nagios'
> from host 'A.B.C.D'
> Jun 4 14:48:53 R1 sshd[77836]: Failed password for nagios from A.B.C.D
> port 37231 ssh2
> Jun 4 14:48:54 R1 sshd[77837]: Received disconnect from A.B.C.D: 11: Bye
> Bye
> Jun 4 14:48:54 R1 inetd[1224]: /usr/sbin/sshd[77836]: exited, status 255
> Jun 4 14:48:57 R1 sshd: SSHD_LOGIN_FAILED: Login failed for user
> 'student' from host 'A.B.C.D'
> Jun 4 14:49:06 R1 sshd: SSHD_LOGIN_FAILED: Login failed for user 'tom'
> from host 'A.B.C.D'
> Jun 4 14:49:06 R1 sshd[77844]: Failed password for tom from A.B.C.D port
> 38247 ssh2
> Jun 4 14:49:07 R1 sshd[77845]: Received disconnect from A.B.C.D: 11: Bye
> Bye
> Jun 4 14:49:07 R1 inetd[1224]: /usr/sbin/sshd[77844]: exited, status 255
> Jun 4 14:49:10 R1 sshd: SSHD_LOGIN_FAILED: Login failed for user 'public'
> from host 'A.B.C.D'
> Jun 4 14:49:10 R1 sshd[77846]: Failed password for public from A.B.C.D
> port 38511 ssh2
> Jun 4 14:49:10 R1 sshd[77847]: Received disconnect from A.B.C.D: 11: Bye
> Bye
> Jun 4 14:49:10 R1 inetd[1224]: /usr/sbin/sshd[77846]: exited, status 255
>
> Regards,
> Samol
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list