[j-nsp] protect ssh and telnet
Aaron
aaron1 at gvtc.com
Fri Apr 15 12:10:37 EDT 2016
Thanks Krasi, Hmmm, this looks very interesting, I want to try it in my lab… also, please let me know if this will ONLY work for my routing-instance vrf “one” interfaces…
My vrf “one” is where my public/vulnerable ip’s live…
I don’t need to protect my default core vrf which is all 10.x.x.x and that domain is behing a mgmt. net firewall boundary
Aaron
From: Krasimir Avramski [mailto:krasi at smartcom.bg]
Sent: Friday, April 15, 2016 6:51 AM
To: Aaron <aaron1 at gvtc.com>
Cc: Chris Jones <ipv6freely at gmail.com>; Juniper-Nsp <juniper-nsp at puck.nether.net>
Subject: Re: [j-nsp] protect ssh and telnet
Hi Aaron,
Below is commit script which is building dynamic prefix list (containing local IPv4 addresses) you could reference in FTF:
krasi# show system scripts commit
allow-transients;
file ifl-addr-v4.slax;
krasi# run file show /var/db/scripts/commit/ifl-addr-v4.slax
version 1.0;
ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
import "../import/junos.xsl";
match configuration {
<transient-change> {
<policy-options> {
<prefix-list replace="replace"> {
<name> "ifl-addr-v4";
for-each (interfaces/interface/unit/family/inet/address) {
var $address = substring-before(name, "/");
<prefix-list-item> {
<name> $address;
}
}
}
}
}
}
krasi# show policy-options |display inheritance |display commit-scripts
prefix-list ifl-addr-v4 {
1.1.1.1/32 <http://1.1.1.1/32> ;
10.10.111.1/32 <http://10.10.111.1/32> ;
}
krasi# set interfaces xe-0/0/0 unit 0 family inet address 2.2.2.2/30 <http://2.2.2.2/30>
[edit]
root# commit
commit complete
[edit]
root# show policy-options |display inheritance |display commit-scripts
prefix-list ifl-addr-v4 {
1.1.1.1/32 <http://1.1.1.1/32> ;
2.2.2.2/32 <http://2.2.2.2/32> ;
10.10.111.1/32 <http://10.10.111.1/32> ;
}
Best Regards,
Krasi
On 13 April 2016 at 23:43, Aaron <aaron1 at gvtc.com <mailto:aaron1 at gvtc.com> > wrote:
Thanks Chris, but apparently the Juniper ACX5048 is an exception to the lo0 rule… see link
http://kb.juniper.net/InfoCenter/index?page=content <http://kb.juniper.net/InfoCenter/index?page=content <http://kb.juniper.net/InfoCenter/index?page=content&id=KB28893&actp=search&viewlocale=en_US&searchid=1305252358192> &id=KB28893&actp=search&viewlocale=en_US&searchid=1305252358192> &id=KB28893&actp=search&viewlocale=en_US&searchid=1305252358192
I’ve been able to accomplish protecting telnet/ssh on my ACX5048 like this…
set routing-instances one forwarding-options family inet filter input protect-5048
set firewall family inet filter protect-5048 term 1 from destination-address 1.1.1.1/32 <http://1.1.1.1/32>
set firewall family inet filter protect-5048 term 1 from protocol tcp
set firewall family inet filter protect-5048 term 1 from destination-port telnet
set firewall family inet filter protect-5048 term 1 from destination-port ssh
set firewall family inet filter protect-5048 term 1 then count protect-5048-counter
set firewall family inet filter protect-5048 term 1 then discard
set firewall family inet filter protect-5048 term 2 then accept
1.1.1.0/24 <http://1.1.1.0/24> is a subnet on an interface in vrf “one” on my acx5048…
The only thing is that I will need to make it a policy with my colleagues that if/when we churn public address space or add new interfaces on our acx5048’s, part of the process will be to add a line to our firewall acl…
set firewall family inet filter protect-5048 term 1 from destination-address 1.1.2.1/32 <http://1.1.2.1/32>
set firewall family inet filter protect-5048 term 1 from destination-address 1.1.3.1/32 <http://1.1.3.1/32>
etc
QUESTION – does anyone know how to make this firewall acl or include a confition or policy somehow to apply the firewall policy to ONLY LOCAL ROUTES (/32’s) ? that would be nice , so that I would never have to add/subtract specific ip addresses in this firewall policy.
Aaron
From: Chris Jones [mailto:ipv6freely at gmail.com <mailto:ipv6freely at gmail.com> ]
Sent: Wednesday, April 13, 2016 10:05 AM
To: Aaron <aaron1 at gvtc.com <mailto:aaron1 at gvtc.com> >
Cc: juniper-nsp at puck.nether.net <mailto:juniper-nsp at puck.nether.net>
Subject: Re: [j-nsp] protect ssh and telnet
To answer OPs actual question:
What you're looking for is an RE filter, applied to lo0. A great resource explaining them and some best practices, etc. check out Doug Hank's Day One book: http://www.juniper.net/us/en/training/jnbooks/day-one/fundamentals-series/securing-routing-engine/
On Tue, Mar 29, 2016 at 10:26 PM, Aaron <aaron1 at gvtc.com <mailto:aaron1 at gvtc.com> <mailto:aaron1 at gvtc.com <mailto:aaron1 at gvtc.com> > > wrote:
I'm new to Juniper. and I'm looking to protect ssh/telnet on all interfaces
on my juniper ACX5048's.
In Cisco you can protect the virtual interface (vty) with a acl
(access-class) so that any remote login attempts (ssh or telnet) or
protected.
How do I protect ssh and telnet globally in Junos ? I only want to allow
ssh and telnet from certain trusted management subnets.
Aaron
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net <mailto:juniper-nsp at puck.nether.net> <mailto:juniper-nsp at puck.nether.net <mailto:juniper-nsp at puck.nether.net> >
https://puck.nether.net/mailman/listinfo/juniper-nsp
--
Chris Jones
JNCIE-ENT #272
CCIE# 25655 (R&S)
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net <mailto:juniper-nsp at puck.nether.net>
https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list