[j-nsp] sshd log messages !!
Ben Dale
bdale at comlinx.com.au
Thu Feb 27 00:57:20 EST 2014
If you're stuck with password-based login (rather than SSH keys), leave yourself one go at missing your password, then increase the backoff-factor up to 10 to put a 10-second wait for guess number 3:
set system services ssh root-login deny
set system login retry-options backoff-threshold 2
set system login retry-options backoff-factor 10
It won't stop a bot, but it will slow it down a bit.
Phil - while you're at it with Junos enhancements - any chance of giving us a
set system services ssh port <1024-65535>
Yes it's security through obscurity, but it's also low hanging fruit..
Failing that, there is a:
set system login deny-sources
maybe an "allow-sources" might be a bit more useful in this instance? Less sophisticated users tend to shoot themselves in the foot with firewall filters quite regularly.
Ben
On 27 Feb 2014, at 8:21 am, Harri Makela <harri_makela at yahoo.com> wrote:
> Hi There
>
> I am constantly getting these log messages for last few days:-
>
> sshd[21015]: Failed password for root from X.X.103.152 port 21067 ssh2
> sshd[21016]: Received disconnect from X.X.103.152: 11: Normal Shutdown, Thank you for playing
>
>
> Are these indicating any brute-force attack ?Thanks
> HM
>
>
>
>
> On Wednesday, 26 February 2014, 21:15, "juniper-nsp-request at puck.nether.net" <juniper-nsp-request at puck.nether.net> wrote:
>
> Send juniper-nsp mailing list submissions to
> juniper-nsp at puck.nether.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> or, via email, send a message with subject or body 'help' to
> juniper-nsp-request at puck.nether.net
>
> You can reach the person managing the list at
> juniper-nsp-owner at puck.nether.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of juniper-nsp digest..."
>
>
> Today's Topics:
>
> 1. Re: proposed changes to "clear bgp neighbor" (ryanL)
> 2. Re: proposed changes to "clear bgp neighbor" (Phil Shafer)
> 3. Re: proposed changes to "clear bgp neighbor" (Eric Van Tol)
> 4. Re: proposed changes to "clear bgp neighbor" (Jerry Dent)
> 5. Re: proposed changes to "clear bgp neighbor" (Brent Sweeny)
> 6. Re: proposed changes to "clear bgp neighbor"
> (Fernando Garcia Fernandez)
> 7. Re: proposed changes to "clear bgp neighbor" (ryanL)
> 8. Re: proposed changes to "clear bgp neighbor"
> (Jonas Frey (Probe Networks))
> 9. Re: proposed changes to "clear bgp neighbor" (sthaug at nethelp.no)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 26 Feb 2014 12:22:51 -0500
> From: ryanL <ryan.landry at gmail.com>
> To: phil at juniper.net
> Cc: Juniper for Network Service Providers
> <juniper-nsp at puck.nether.net>
> Subject: Re: [j-nsp] proposed changes to "clear bgp neighbor"
> Message-ID:
> <CAK_-TSaYrdjhuAtsNbOKn2nrKCrJjGB3ZWTR_cLJiZKuXcXuVw at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> it's a nice-to-have, maybe? but this sounds more like an opportunity for
> you to sell some JNCIA courses. i mean, how long has junos been around now?
>
>
> On Wed, Feb 26, 2014 at 10:36 AM, Phil Shafer <phil at juniper.net> wrote:
>
>> Juniper users,
>>
>> We've been asked to make a change the "clear bgp neighbor" command
>> to make the neighbor or "all" argument mandatory. The root cause
>> is the severe impact of "clear bgp neighbor" and the increasing
>> accidental use of this command without a specific neighbor.
>>
>> In general, we avoid changing commands to add mandatory arguments,
>> but my feeling is that the impact and severity of this specific
>> command makes this an acceptable occasion for such a change.
>>
>> I'm looking for feedback about this change. My working assumption
>> is that "clear bgp neighbor" is a sufficiently rare command and
>> would not be used in automation/scripts, so the impact of making
>> the neighbor/all argument mandatory would be minimal. Is this
>> assumption accurate?
>>
>> Thanks,
>> Phil
>>
>> [I've set reply-to to myself to avoid impacting the list]
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 26 Feb 2014 13:44:42 -0500
> From: Phil Shafer <phil at juniper.net>
> To: ryanL <ryan.landry at gmail.com>
> Cc: Juniper for Network Service Providers
> <juniper-nsp at puck.nether.net>
> Subject: Re: [j-nsp] proposed changes to "clear bgp neighbor"
> Message-ID: <201402261844.s1QIigGL031086 at idle.juniper.net>
> Content-Type: text/plain
>
> ryanL writes:
>> it's a nice-to-have, maybe? but this sounds more like an opportunity for
>> you to sell some JNCIA courses. i mean, how long has junos been around now?
>
> Not selling anything; just trying to solve a problem multiple
> customers have reported and escalated. I'm a software developer,
> working on the UI code (CLI, MGD, configuration, XML API, scripting)
> for 17+ years.
>
> JUNOS 3.0 (the first release with the ui code) shipped during the
> summer of 1998, IIRC.
>
> Thanks,
> Phil
>
>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 26 Feb 2014 14:24:21 -0500
> From: Eric Van Tol <eric at atlantech.net>
> To: "juniper-nsp at puck.nether.net" <juniper-nsp at puck.nether.net>
> Subject: Re: [j-nsp] proposed changes to "clear bgp neighbor"
> Message-ID:
> <2C05E949E19A9146AF7BDF9D44085B865F70CC1FB1 at exchange.aoihq.local>
> Content-Type: text/plain; charset="us-ascii"
>
>> it's a nice-to-have, maybe? but this sounds more like an opportunity for
>> you to sell some JNCIA courses. i mean, how long has junos been around
>> now?
>
> Confusing comment, since this enhancement isn't about CLI inexperience. It doesn't matter how long Junos has been around or how experienced someone is, it's still too incredibly easy to hit 'Enter' too soon and clear all your BGP neighbors by accident.
>
> I don't see a problem with adding the requirement 'all'.
>
> -evt
>
>
>
> ------------------------------
>
> Message: 4
> Date: Wed, 26 Feb 2014 13:29:18 -0600
> From: Jerry Dent <effinjdent at gmail.com>
> To: Eric Van Tol <eric at atlantech.net>
> Cc: "juniper-nsp at puck.nether.net" <juniper-nsp at puck.nether.net>
> Subject: Re: [j-nsp] proposed changes to "clear bgp neighbor"
> Message-ID:
> <CADUFW=WkYVHA1jLWJjRWQKhLroOtRpAGGrwQtZW_VJLai33bYg at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Just add a line "Reset all bgp sessions? [Y/N]" for confirmation.
>
>
> On Wed, Feb 26, 2014 at 1:24 PM, Eric Van Tol <eric at atlantech.net> wrote:
>
>>> it's a nice-to-have, maybe? but this sounds more like an opportunity for
>>> you to sell some JNCIA courses. i mean, how long has junos been around
>>> now?
>>
>> Confusing comment, since this enhancement isn't about CLI inexperience.
>> It doesn't matter how long Junos has been around or how experienced
>> someone is, it's still too incredibly easy to hit 'Enter' too soon and
>> clear all your BGP neighbors by accident.
>>
>> I don't see a problem with adding the requirement 'all'.
>>
>> -evt
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>
> ------------------------------
>
> Message: 5
> Date: Wed, 26 Feb 2014 11:04:54 -0800
> From: Brent Sweeny <sweeny at indiana.edu>
> To: phil at juniper.net, Juniper for Network Service Providers
> <juniper-nsp at puck.nether.net>
> Subject: Re: [j-nsp] proposed changes to "clear bgp neighbor"
> Message-ID: <530E3AD6.2010507 at indiana.edu>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Phil, I think what you propose sounds like a reasonable and
> appropriately-scoped response to a real problem.
> Brent Sweeny
> Indiana University
>
> On 2/26/2014 7:36 AM, Phil Shafer wrote:
>> Juniper users,
>>
>> We've been asked to make a change the "clear bgp neighbor" command
>> to make the neighbor or "all" argument mandatory. The root cause
>> is the severe impact of "clear bgp neighbor" and the increasing
>> accidental use of this command without a specific neighbor.
>>
>> In general, we avoid changing commands to add mandatory arguments,
>> but my feeling is that the impact and severity of this specific
>> command makes this an acceptable occasion for such a change.
>>
>> I'm looking for feedback about this change. My working assumption
>> is that "clear bgp neighbor" is a sufficiently rare command and
>> would not be used in automation/scripts, so the impact of making
>> the neighbor/all argument mandatory would be minimal. Is this
>> assumption accurate?
>>
>> Thanks,
>> Phil
>>
>> [I've set reply-to to myself to avoid impacting the list]
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>
> ------------------------------
>
> Message: 6
> Date: Wed, 26 Feb 2014 21:04:54 +0100
> From: Fernando Garcia Fernandez <listas at cutre.net>
> To: Eric Van Tol <eric at atlantech.net>
> Cc: "juniper-nsp at puck.nether.net" <juniper-nsp at puck.nether.net>
> Subject: Re: [j-nsp] proposed changes to "clear bgp neighbor"
> Message-ID: <CA92BFD8-E457-4AEE-8FD7-C0771FCD91E6 at cutre.net>
> Content-Type: text/plain; charset=windows-1252
>
> +1 to include the ?all? option.
>
> In fact, coming from the IOS world, it amused me when I discovered that there was no ?*? or ?all? option to clear all neighbors.
>
>
> El 26/02/2014, a las 20:24, Eric Van Tol <eric at atlantech.net> escribi?:
>
>>> it's a nice-to-have, maybe? but this sounds more like an opportunity for
>>> you to sell some JNCIA courses. i mean, how long has junos been around
>>> now?
>>
>> Confusing comment, since this enhancement isn't about CLI inexperience. It doesn't matter how long Junos has been around or how experienced someone is, it's still too incredibly easy to hit 'Enter' too soon and clear all your BGP neighbors by accident.
>>
>> I don't see a problem with adding the requirement 'all'.
>>
>> -evt
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
>
> ------------------------------
>
> Message: 7
> Date: Wed, 26 Feb 2014 14:25:00 -0500
> From: ryanL <ryan.landry at gmail.com>
> To: Phil Shafer <phil at juniper.net>
> Cc: Juniper for Network Service Providers
> <juniper-nsp at puck.nether.net>
> Subject: Re: [j-nsp] proposed changes to "clear bgp neighbor"
> Message-ID:
> <CAK_-TSajcGxr6N3-AQ7w6FRmz61Fh+w8Y30x0FHkZSLZY8EemQ at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> yeah, i'm not slagging. just seems like poor training for newbie noc
> engineers or something. this is a pretty rookie error, in my view, but i've
> been around almost as long as you have ;-)
>
>
> On Wed, Feb 26, 2014 at 1:44 PM, Phil Shafer <phil at juniper.net> wrote:
>
>> ryanL writes:
>>> it's a nice-to-have, maybe? but this sounds more like an opportunity for
>>> you to sell some JNCIA courses. i mean, how long has junos been around
>> now?
>>
>> Not selling anything; just trying to solve a problem multiple
>> customers have reported and escalated. I'm a software developer,
>> working on the UI code (CLI, MGD, configuration, XML API, scripting)
>> for 17+ years.
>>
>> JUNOS 3.0 (the first release with the ui code) shipped during the
>> summer of 1998, IIRC.
>>
>> Thanks,
>> Phil
>>
>>
>
>
> ------------------------------
>
> Message: 8
> Date: Wed, 26 Feb 2014 21:37:20 +0100
> From: "Jonas Frey (Probe Networks)" <jf at probe-networks.de>
> To: phil at juniper.net
> Cc: Juniper for Network Service Providers
> <juniper-nsp at puck.nether.net>
> Subject: Re: [j-nsp] proposed changes to "clear bgp neighbor"
> Message-ID: <1393447040.4974.178.camel at wks02>
> Content-Type: text/plain; charset="utf-8"
>
> +1 for the "all" requirement
>
> Am Mittwoch, den 26.02.2014, 10:36 -0500 schrieb Phil Shafer:
>> Juniper users,
>>
>> We've been asked to make a change the "clear bgp neighbor" command
>> to make the neighbor or "all" argument mandatory. The root cause
>> is the severe impact of "clear bgp neighbor" and the increasing
>> accidental use of this command without a specific neighbor.
>>
>> In general, we avoid changing commands to add mandatory arguments,
>> but my feeling is that the impact and severity of this specific
>> command makes this an acceptable occasion for such a change.
>>
>> I'm looking for feedback about this change. My working assumption
>> is that "clear bgp neighbor" is a sufficiently rare command and
>> would not be used in automation/scripts, so the impact of making
>> the neighbor/all argument mandatory would be minimal. Is this
>> assumption accurate?
>>
>> Thanks,
>> Phil
>>
>> [I've set reply-to to myself to avoid impacting the list]
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: signature.asc
> Type: application/pgp-signature
> Size: 198 bytes
> Desc: This is a digitally signed message part
> URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20140226/ad7a1719/attachment-0001.sig>
>
> ------------------------------
>
> Message: 9
> Date: Wed, 26 Feb 2014 22:10:50 +0100 (CET)
> From: sthaug at nethelp.no
> To: phil at juniper.net
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] proposed changes to "clear bgp neighbor"
> Message-ID: <20140226.221050.71112673.sthaug at nethelp.no>
> Content-Type: Text/Plain; charset=us-ascii
>
>> We've been asked to make a change the "clear bgp neighbor" command
>> to make the neighbor or "all" argument mandatory. The root cause
>> is the severe impact of "clear bgp neighbor" and the increasing
>> accidental use of this command without a specific neighbor.
>>
>> In general, we avoid changing commands to add mandatory arguments,
>> but my feeling is that the impact and severity of this specific
>> command makes this an acceptable occasion for such a change.
>>
>> I'm looking for feedback about this change. My working assumption
>> is that "clear bgp neighbor" is a sufficiently rare command and
>> would not be used in automation/scripts, so the impact of making
>> the neighbor/all argument mandatory would be minimal. Is this
>> assumption accurate?
>
> For us, yes. Fully support the idea of requiring an "all" argument.
>
> Steinar Haug, AS 2116
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> juniper-nsp mailing list
> juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> ------------------------------
>
> End of juniper-nsp Digest, Vol 135, Issue 29
> ********************************************
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list