[j-nsp] SSH - Firewall Filter - MX80

OBrien, Will ObrienH at missouri.edu
Tue Jun 4 23:38:03 EDT 2013 

This got me a little curious.

Most likely someone is using a crappy client that behaves oddly (or used malformed headers on purpose) - and just aren't matching the tcp port combo. I'm not a fan of the way that the stateless firewall filters are written.
A simple fix may be to not specify tcp, but just the ports you want to control. (I've used ssh over UDP before, it's somewhat hilarious.)

This is valid:
from {
    destination-port ssh;
}
then {
    discard;
}

I believe that a safer method is to allow traffic from your trusted networks, allow protocols that you need and NOT put the default accept on the end. I do this and haven't seen any goofy traffic. Unwanted traffic is dropped right away unless you're looking for a ping or something. There's really no need for unknowns to talk to your RE. Ever.


Will


On Jun 4, 2013, at 9:49 PM, Samol <molasian at gmail.com>
 wrote:

> Dear All,
> 
> We are having problems with filtering ssh access to out MX80 box. Many
> thanks in advance for your assistance.
> 
> The problem is kind of weird. There are a few random IP addresses, which
> should be blocked by firewall filter, have established ssh connections to
> our MX80 while most of other IPs (our tested IP) from the Internet trying
> to ssh are silently dropped (no log) by this firewall filter on loopback 0
> interface.
> 
> 
> show configuration firewall family inet filter limit-mgmt-access
> term permit-ssh-ssl {
>    from {
>        source-address {
>            E.F.G.H/20;
>        }
>        protocol tcp;
>        destination-port [ ssh http https telnet ];
>    }
>    then accept;
> }
> term deny-all-other-ssl-ssh {
>    from {
>        protocol tcp;
>        destination-port [ ssh http https telnet ];
>    }
>    then {
>        discard;
>    }
> }
> term default {
>    then accept;
> }
> 
> -------------------------------
> 
> show configuration interfaces lo0
> unit 0 {
>    family inet {
>        filter {
>            input limit-mgmt-access;
>        }
>        address W.X.Y.Z/32 {
>            primary;
>            preferred;
>        }
>    }
> }
> 
> --------------------------------------
> 
> Jun  4 14:48:53 R1 sshd: SSHD_LOGIN_FAILED: Login failed for user 'nagios'
> from host 'A.B.C.D'
> Jun  4 14:48:53  R1 sshd[77836]: Failed password for nagios from A.B.C.D
> port 37231 ssh2
> Jun  4 14:48:54  R1 sshd[77837]: Received disconnect from A.B.C.D: 11: Bye
> Bye
> Jun  4 14:48:54  R1 inetd[1224]: /usr/sbin/sshd[77836]: exited, status 255
> Jun  4 14:48:57  R1 sshd: SSHD_LOGIN_FAILED: Login failed for user
> 'student' from host 'A.B.C.D'
> Jun  4 14:49:06  R1 sshd: SSHD_LOGIN_FAILED: Login failed for user 'tom'
> from host 'A.B.C.D'
> Jun  4 14:49:06  R1 sshd[77844]: Failed password for tom from A.B.C.D port
> 38247 ssh2
> Jun  4 14:49:07  R1 sshd[77845]: Received disconnect from A.B.C.D: 11: Bye
> Bye
> Jun  4 14:49:07  R1 inetd[1224]: /usr/sbin/sshd[77844]: exited, status 255
> Jun  4 14:49:10  R1 sshd: SSHD_LOGIN_FAILED: Login failed for user 'public'
> from host 'A.B.C.D'
> Jun  4 14:49:10  R1 sshd[77846]: Failed password for public from A.B.C.D
> port 38511 ssh2
> Jun  4 14:49:10  R1 sshd[77847]: Received disconnect from A.B.C.D: 11: Bye
> Bye
> Jun  4 14:49:10  R1 inetd[1224]: /usr/sbin/sshd[77846]: exited, status 255
> 
> Regards,
> Samol
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list