[j-nsp] sshd log messages !!

Alex Arseniev arseniev at btinternet.com
Thu Feb 27 08:44:10 EST 2014


set firewall family inet filter Access term AllowSSH from address X.X.X.X/16

If X.X.X.X/16 includes any interface address of this router, then this 
filter is NOT going to stop attacks, no matter where applied.

You should be much more specific in writing the match conditions. Below 
is an example:

######## X.X.X.X/16 is the trusted hosts IP block, allowed to SSH _TO_ 
this router
set firewall family inet filter Access term AllowInboundSSH from 
source-address X.X.X.X/16
set firewall family inet filter Access term AllowInboundSSH from 
protocol tcp
set firewall family inet filter Access term AllowInboundSSH from 
destination-port ssh
set firewall family inet filter Access term AllowInboundSSH then accept

######## Y.Y.Y.Y/16 is the another trusted hosts IP block, allowed to be 
SSHed to _FROM_ this router
set firewall family inet filter Access term AllowOutboundSSHReturn from 
source-address Y.Y.Y.Y/16
set firewall family inet filter Access term AllowOutboundSSHReturn from 
protocol tcp
set firewall family inet filter Access term AllowOutboundSSHReturn from 
tcp-established
set firewall family inet filter Access term AllowOutboundSSHReturn from 
source-port ssh
set firewall family inet filter Access term AllowOutboundSSHReturn then 
accept

HTH
Thanks
Alex

On 27/02/2014 12:13, Harri Makela wrote:
> Model: j6350
> JUNOS Software Release [10.4R4.5]
>
> Following is the current configuration that we have for ssh:-
>
>
> set system login user xxx authentication ssh-rsa "ssh-rsa AAAAB"
> set system services ssh
> set security ssh-known-hosts host 10.x.x.x rsa-key
> set security ssh-known-hosts host 10.x.x.x rsa-key
> set firewall family inet filter Access term AllowSSH from port ssh
> set firewall family inet filter Access term DenySSH from port ssh
>
> Following firewall filter is in place:-
>
> set interfaces ge-0/0/1 unit 0 family inet filter input Access
> set firewall family inet filter Access term AllowSSH from address X.X.X.X/16
> set firewall family inet filter Access term AllowSSH from address X.X.X.X/16
> set firewall family inet filter Access term AllowSSH from address X.X.X.X/16
> set firewall family inet filter Access term AllowSSH from address X.X.X.X/16
> set firewall family inet filter Access term AllowSSH from protocol tcp
> set firewall family inet filter Access term AllowSSH from port ssh
> set firewall family inet filter Access term AllowSSH then accept
> set firewall family inet filter Access term DenySSH from protocol tcp
> set firewall family inet filter Access term DenySSH from port ssh
> set firewall family inet filter Access term DenySSH then reject
> set firewall family inet filter Access term default-term then accept
>
> I am now going to add loopback address as well:-
>
> set interfaces lo0 unit 0 family inet filter input Access
>
> Important thing is that all these alerst started when we applied the filter, may be something wrong with the ocnfiguration that we have applied.
>
>
> Following is the vulnerability that we wanted to address:-
>
> http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10612
>
> Thanks all for your detailed response.
>
>
>
>
> On Thursday, 27 February 2014, 7:11, Mark Tinka <mark.tinka at seacom.mu> wrote:
>   
> On Thursday, February 27, 2014 01:14:26 AM Rodrigo Augusto
>
> wrote:
>
>> Protect your RE. Put a filter on your loopback and permit
>> only your netwoks to access this port(22).
> Yep.
>
> You really shouldn't let your SSH daemon have easy access to
> the world.
>
> Mark.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list