[j-nsp] protect ssh and telnet

Krasimir Avramski krasi at smartcom.bg
Fri Apr 15 12:59:51 EDT 2016


Hi Roberto,

The script is building only /32 "local" prefixes.
Your suggestion is building "direct" prefixes (cisco "connected" networks)
and when matching at the FTF level (note that is NOT lo0 filter)  depending
on the filter action you can achieve "undesired" results.

Best Regards,
Krasi

On 15 April 2016 at 19:39, Roberto Bertó <roberto.berto at gmail.com> wrote:

> What's difference between your junos script and this apply-path?
>
> set policy-options prefix-list router-ipv4 apply-path "interfaces <*> unit
> <*> family inet address <*>"
>
>
> 2016-04-15 13:10 GMT-03:00 Aaron <aaron1 at gvtc.com>:
>
>> Thanks Krasi, Hmmm, this looks very interesting, I want to try it in my
>> lab… also, please let me know if this will ONLY work for my
>> routing-instance vrf “one” interfaces…
>>
>>
>>
>> My vrf “one” is where my public/vulnerable ip’s live…
>>
>>
>>
>> I don’t need to protect my default core vrf which is all 10.x.x.x and
>> that domain is behing a mgmt. net firewall boundary
>>
>>
>>
>> Aaron
>>
>>
>>
>> From: Krasimir Avramski [mailto:krasi at smartcom.bg]
>> Sent: Friday, April 15, 2016 6:51 AM
>> To: Aaron <aaron1 at gvtc.com>
>> Cc: Chris Jones <ipv6freely at gmail.com>; Juniper-Nsp <
>> juniper-nsp at puck.nether.net>
>> Subject: Re: [j-nsp] protect ssh and telnet
>>
>>
>>
>> Hi Aaron,
>>
>>
>>
>> Below is commit script which is building dynamic prefix list (containing
>> local IPv4 addresses) you could reference in FTF:
>>
>>
>>
>> krasi# show system scripts commit
>>
>> allow-transients;
>>
>> file ifl-addr-v4.slax;
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> krasi# run file show /var/db/scripts/commit/ifl-addr-v4.slax
>>
>> version 1.0;
>>
>>
>>
>> ns junos = "http://xml.juniper.net/junos/*/junos";
>>
>> ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
>>
>> ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
>>
>>
>>
>> import "../import/junos.xsl";
>>
>>
>>
>> match configuration {
>>
>>     <transient-change> {
>>
>>         <policy-options> {
>>
>>             <prefix-list replace="replace"> {
>>
>>                 <name> "ifl-addr-v4";
>>
>>                   for-each
>> (interfaces/interface/unit/family/inet/address) {
>>
>>                             var $address = substring-before(name, "/");
>>
>>                             <prefix-list-item> {
>>
>>                               <name> $address;
>>
>>                            }
>>
>>                   }
>>
>>              }
>>
>>          }
>>
>>      }
>>
>> }
>>
>>
>>
>>
>>
>>
>>
>> krasi# show policy-options |display inheritance |display commit-scripts
>>
>> prefix-list ifl-addr-v4 {
>>
>>     1.1.1.1/32 <http://1.1.1.1/32> ;
>>
>>     10.10.111.1/32 <http://10.10.111.1/32> ;
>>
>> }
>>
>>
>>
>>
>>
>> krasi# set interfaces xe-0/0/0 unit 0 family inet address 2.2.2.2/30 <
>> http://2.2.2.2/30>
>>
>>
>>
>> [edit]
>>
>> root# commit
>>
>> commit complete
>>
>>
>>
>> [edit]
>>
>> root# show policy-options |display inheritance |display commit-scripts
>>
>> prefix-list ifl-addr-v4 {
>>
>>     1.1.1.1/32 <http://1.1.1.1/32> ;
>>
>>     2.2.2.2/32 <http://2.2.2.2/32> ;
>>
>>     10.10.111.1/32 <http://10.10.111.1/32> ;
>>
>>  }
>>
>>
>>
>>
>>
>> Best Regards,
>>
>> Krasi
>>
>>
>>
>> On 13 April 2016 at 23:43, Aaron <aaron1 at gvtc.com <mailto:aaron1 at gvtc.com>
>> > wrote:
>>
>> Thanks Chris, but apparently the Juniper ACX5048 is an exception to the
>> lo0 rule…  see link
>>
>>
>>
>> http://kb.juniper.net/InfoCenter/index?page=content <
>> http://kb.juniper.net/InfoCenter/index?page=content <
>> http://kb.juniper.net/InfoCenter/index?page=content&id=KB28893&actp=search&viewlocale=en_US&searchid=1305252358192>
>> &id=KB28893&actp=search&viewlocale=en_US&searchid=1305252358192>
>> &id=KB28893&actp=search&viewlocale=en_US&searchid=1305252358192
>>
>>
>>
>> I’ve been able to accomplish protecting telnet/ssh on my ACX5048 like
>> this…
>>
>>
>>
>> set routing-instances one forwarding-options family inet filter input
>> protect-5048
>>
>> set firewall family inet filter protect-5048 term 1 from
>> destination-address 1.1.1.1/32 <http://1.1.1.1/32>
>>
>> set firewall family inet filter protect-5048 term 1 from protocol tcp
>>
>> set firewall family inet filter protect-5048 term 1 from destination-port
>> telnet
>>
>> set firewall family inet filter protect-5048 term 1 from destination-port
>> ssh
>>
>> set firewall family inet filter protect-5048 term 1 then count
>> protect-5048-counter
>>
>> set firewall family inet filter protect-5048 term 1 then discard
>>
>> set firewall family inet filter protect-5048 term 2 then accept
>>
>>
>>
>> 1.1.1.0/24 <http://1.1.1.0/24>  is a subnet on an interface in vrf “one”
>> on my acx5048…
>>
>>
>>
>> The only thing is that I will need to make it a policy with my colleagues
>> that if/when we churn public address space or add new interfaces on our
>> acx5048’s, part of the process will be to add a line to our firewall acl…
>>
>>
>>
>> set firewall family inet filter protect-5048 term 1 from
>> destination-address 1.1.2.1/32 <http://1.1.2.1/32>
>>
>> set firewall family inet filter protect-5048 term 1 from
>> destination-address 1.1.3.1/32 <http://1.1.3.1/32>
>>
>> etc
>>
>>
>>
>> QUESTION – does anyone know how to make this firewall acl or include a
>> confition or policy somehow to apply the firewall policy to ONLY LOCAL
>> ROUTES (/32’s) ?  that would be nice , so that I would never have to
>> add/subtract specific ip addresses in this firewall policy.
>>
>>
>>
>> Aaron
>>
>>
>>
>>
>>
>>
>>
>> From: Chris Jones [mailto:ipv6freely at gmail.com <mailto:
>> ipv6freely at gmail.com> ]
>> Sent: Wednesday, April 13, 2016 10:05 AM
>> To: Aaron <aaron1 at gvtc.com <mailto:aaron1 at gvtc.com> >
>> Cc: juniper-nsp at puck.nether.net <mailto:juniper-nsp at puck.nether.net>
>> Subject: Re: [j-nsp] protect ssh and telnet
>>
>>
>>
>> To answer OPs actual question:
>>
>>
>>
>> What you're looking for is an RE filter, applied to lo0. A great resource
>> explaining them and some best practices, etc. check out Doug Hank's Day One
>> book:
>> http://www.juniper.net/us/en/training/jnbooks/day-one/fundamentals-series/securing-routing-engine/
>>
>>
>>
>> On Tue, Mar 29, 2016 at 10:26 PM, Aaron <aaron1 at gvtc.com <mailto:
>> aaron1 at gvtc.com>  <mailto:aaron1 at gvtc.com <mailto:aaron1 at gvtc.com> > >
>> wrote:
>>
>> I'm new to Juniper. and I'm looking to protect ssh/telnet on all
>> interfaces
>> on my juniper ACX5048's.
>>
>>
>>
>> In Cisco you can protect the virtual interface (vty) with a acl
>> (access-class) so that any remote login attempts (ssh or telnet) or
>> protected.
>>
>>
>>
>> How do I protect ssh and telnet globally in Junos ?  I only want to allow
>> ssh and telnet from certain trusted management subnets.
>>
>>
>>
>> Aaron
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net <mailto:
>> juniper-nsp at puck.nether.net>  <mailto:juniper-nsp at puck.nether.net
>> <mailto:juniper-nsp at puck.nether.net> >
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>>
>>
>>
>>
>>
>>
>> --
>>
>> Chris Jones
>> JNCIE-ENT #272
>> CCIE# 25655 (R&S)
>>
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net <mailto:
>> juniper-nsp at puck.nether.net>
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>>
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>


More information about the juniper-nsp mailing list