[j-nsp] SSH - Firewall Filter - MX80

Gordon Smith gordon at gswsystems.com
Wed Jun 5 01:33:07 EDT 2013


 If you want to only block specific ports, rather than all traffic to 
 the RE, something like this may suit you:

 term permit-ssh-ssl {
 	from {
 		source-address {
 			0.0.0.0/0;
 			E.F.G.H/20 except;
 		}
 		protocol tcp;
 		destination-port [ ssh telnet ftp http https ];
 	}
 	then {
 		log;
 		discard;
 		}
 	}
 	term default_access {
 		then accept;
 	}
 }


 If you don't want to see what you're dropping, omit the log statement


 Cheers,
 Gordon


 On Wed, 5 Jun 2013 09:49:56 +0700, Samol wrote:
> Dear All,
>
> We are having problems with filtering ssh access to out MX80 box. 
> Many
> thanks in advance for your assistance.
>
> The problem is kind of weird. There are a few random IP addresses, 
> which
> should be blocked by firewall filter, have established ssh 
> connections to
> our MX80 while most of other IPs (our tested IP) from the Internet 
> trying
> to ssh are silently dropped (no log) by this firewall filter on 
> loopback 0
> interface.
>
>
> show configuration firewall family inet filter limit-mgmt-access
> term permit-ssh-ssl {
>     from {
>         source-address {
>             E.F.G.H/20;
>         }
>         protocol tcp;
>         destination-port [ ssh http https telnet ];
>     }
>     then accept;
> }
> term deny-all-other-ssl-ssh {
>     from {
>         protocol tcp;
>         destination-port [ ssh http https telnet ];
>     }
>     then {
>         discard;
>     }
> }
> term default {
>     then accept;
> }
>
> -------------------------------
>
> show configuration interfaces lo0
> unit 0 {
>     family inet {
>         filter {
>             input limit-mgmt-access;
>         }
>         address W.X.Y.Z/32 {
>             primary;
>             preferred;
>         }
>     }
> }
>
> --------------------------------------
>
> Jun  4 14:48:53 R1 sshd: SSHD_LOGIN_FAILED: Login failed for user 
> 'nagios'
> from host 'A.B.C.D'
> Jun  4 14:48:53  R1 sshd[77836]: Failed password for nagios from 
> A.B.C.D
> port 37231 ssh2
> Jun  4 14:48:54  R1 sshd[77837]: Received disconnect from A.B.C.D: 
> 11: Bye
> Bye
> Jun  4 14:48:54  R1 inetd[1224]: /usr/sbin/sshd[77836]: exited, 
> status 255
> Jun  4 14:48:57  R1 sshd: SSHD_LOGIN_FAILED: Login failed for user
> 'student' from host 'A.B.C.D'
> Jun  4 14:49:06  R1 sshd: SSHD_LOGIN_FAILED: Login failed for user 
> 'tom'
> from host 'A.B.C.D'
> Jun  4 14:49:06  R1 sshd[77844]: Failed password for tom from A.B.C.D 
> port
> 38247 ssh2
> Jun  4 14:49:07  R1 sshd[77845]: Received disconnect from A.B.C.D: 
> 11: Bye
> Bye
> Jun  4 14:49:07  R1 inetd[1224]: /usr/sbin/sshd[77844]: exited, 
> status 255
> Jun  4 14:49:10  R1 sshd: SSHD_LOGIN_FAILED: Login failed for user 
> 'public'
> from host 'A.B.C.D'
> Jun  4 14:49:10  R1 sshd[77846]: Failed password for public from 
> A.B.C.D
> port 38511 ssh2
> Jun  4 14:49:10  R1 sshd[77847]: Received disconnect from A.B.C.D: 
> 11: Bye
> Bye
> Jun  4 14:49:10  R1 inetd[1224]: /usr/sbin/sshd[77846]: exited, 
> status 255
>
> Regards,
> Samol
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list