[j-nsp] sshd log messages !!

Alex Arseniev arseniev at btinternet.com
Thu Feb 27 11:52:04 EST 2014


The filter the OP posted
set firewall family inet filter Access term AllowSSH from address X.X.X.X/16
set firewall family inet filter Access term AllowSSH from address X.X.X.X/16
set firewall family inet filter Access term AllowSSH from address X.X.X.X/16
set firewall family inet filter Access term AllowSSH from address X.X.X.X/16
set firewall family inet filter Access term AllowSSH from protocol tcp
set firewall family inet filter Access term AllowSSH from port ssh
set firewall family inet filter Access term AllowSSH then accept

- matches the following combo:

( { X.X.X.X/16 source, any destination } OR { any source, X.X.X.X/16 
destination} )
AND
( { any src.tcp.port, 22 } OR { 22, any dst.tcp.port} )

Which means that if X.X.X.X/16 includes any local IP address, then any 
host on internet can send SSH packets to this router.
Hope this makes sense.
HTH
Thanks
Alex

On 27/02/2014 15:10, Andrew Tutten wrote:
> Alex,
>
> Can you elaborate on a situation where if you have part of your source 
> address filter on your interface why it won't stop attacks? Is it if 
> SSH traffic is passing through that interface to get to the router? I 
> have had problems with still seeing logins from addresses outside the 
> filter on mine.
>
> Thanks.
>
>
> On Thu, Feb 27, 2014 at 7:44 AM, Alex Arseniev 
> <arseniev at btinternet.com <mailto:arseniev at btinternet.com>> wrote:
>
>     set firewall family inet filter Access term AllowSSH from address
>     X.X.X.X/16
>
>     If X.X.X.X/16 includes any interface address of this router, then
>     this filter is NOT going to stop attacks, no matter where applied.
>
>     You should be much more specific in writing the match conditions.
>     Below is an example:
>
>     ######## X.X.X.X/16 is the trusted hosts IP block, allowed to SSH
>     _TO_ this router
>     set firewall family inet filter Access term AllowInboundSSH from
>     source-address X.X.X.X/16
>     set firewall family inet filter Access term AllowInboundSSH from
>     protocol tcp
>     set firewall family inet filter Access term AllowInboundSSH from
>     destination-port ssh
>     set firewall family inet filter Access term AllowInboundSSH then
>     accept
>
>     ######## Y.Y.Y.Y/16 is the another trusted hosts IP block, allowed
>     to be SSHed to _FROM_ this router
>     set firewall family inet filter Access term AllowOutboundSSHReturn
>     from source-address Y.Y.Y.Y/16
>     set firewall family inet filter Access term AllowOutboundSSHReturn
>     from protocol tcp
>     set firewall family inet filter Access term AllowOutboundSSHReturn
>     from tcp-established
>     set firewall family inet filter Access term AllowOutboundSSHReturn
>     from source-port ssh
>     set firewall family inet filter Access term AllowOutboundSSHReturn
>     then accept
>
>     HTH
>     Thanks
>     Alex
>
>
>     On 27/02/2014 12:13, Harri Makela wrote:
>
>         Model: j6350
>         JUNOS Software Release [10.4R4.5]
>
>         Following is the current configuration that we have for ssh:-
>
>
>         set system login user xxx authentication ssh-rsa "ssh-rsa AAAAB"
>         set system services ssh
>         set security ssh-known-hosts host 10.x.x.x rsa-key
>         set security ssh-known-hosts host 10.x.x.x rsa-key
>         set firewall family inet filter Access term AllowSSH from port ssh
>         set firewall family inet filter Access term DenySSH from port ssh
>
>         Following firewall filter is in place:-
>
>         set interfaces ge-0/0/1 unit 0 family inet filter input Access
>         set firewall family inet filter Access term AllowSSH from
>         address X.X.X.X/16
>         set firewall family inet filter Access term AllowSSH from
>         address X.X.X.X/16
>         set firewall family inet filter Access term AllowSSH from
>         address X.X.X.X/16
>         set firewall family inet filter Access term AllowSSH from
>         address X.X.X.X/16
>         set firewall family inet filter Access term AllowSSH from
>         protocol tcp
>         set firewall family inet filter Access term AllowSSH from port ssh
>         set firewall family inet filter Access term AllowSSH then accept
>         set firewall family inet filter Access term DenySSH from
>         protocol tcp
>         set firewall family inet filter Access term DenySSH from port ssh
>         set firewall family inet filter Access term DenySSH then reject
>         set firewall family inet filter Access term default-term then
>         accept
>
>         I am now going to add loopback address as well:-
>
>         set interfaces lo0 unit 0 family inet filter input Access
>
>         Important thing is that all these alerst started when we
>         applied the filter, may be something wrong with the
>         ocnfiguration that we have applied.
>
>
>         Following is the vulnerability that we wanted to address:-
>
>         http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10612
>
>         Thanks all for your detailed response.
>
>
>
>
>         On Thursday, 27 February 2014, 7:11, Mark Tinka
>         <mark.tinka at seacom.mu <mailto:mark.tinka at seacom.mu>> wrote:
>           On Thursday, February 27, 2014 01:14:26 AM Rodrigo Augusto
>
>         wrote:
>
>             Protect your RE. Put a filter on your loopback and permit
>             only your netwoks to access this port(22).
>
>         Yep.
>
>         You really shouldn't let your SSH daemon have easy access to
>         the world.
>
>         Mark.
>         _______________________________________________
>         juniper-nsp mailing list juniper-nsp at puck.nether.net
>         <mailto:juniper-nsp at puck.nether.net>
>         https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>     _______________________________________________
>     juniper-nsp mailing list juniper-nsp at puck.nether.net
>     <mailto:juniper-nsp at puck.nether.net>
>     https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
>
> -- 
> Andrew Tutten
> Senior Network Engineer
> API Digital Communications Group
>



More information about the juniper-nsp mailing list