[j-nsp] protect ssh and telnet

Krasimir Avramski krasi at smartcom.bg
Fri Apr 15 13:22:28 EDT 2016


Hi Aaron,

Currently script is building list of all configured ifls (except
logical-systems defined). You can tag the the vrf "one" addresses through
"apply-macro" and modify script to add address based on that condition.

Sample ifl tag:
set interfaces xe-0/0/0 unit 0 family inet address 3.3.3.3/24 apply-macro
vrf-one

Best Regards,
Krasi




On 15 April 2016 at 19:10, Aaron <aaron1 at gvtc.com> wrote:

> Thanks Krasi, Hmmm, this looks very interesting, I want to try it in my
> lab… also, please let me know if this will ONLY work for my
> routing-instance vrf “one” interfaces…
>
>
>
> My vrf “one” is where my public/vulnerable ip’s live…
>
>
>
> I don’t need to protect my default core vrf which is all 10.x.x.x and that
> domain is behing a mgmt. net firewall boundary
>
>
>
> Aaron
>
>
>
> *From:* Krasimir Avramski [mailto:krasi at smartcom.bg]
> *Sent:* Friday, April 15, 2016 6:51 AM
> *To:* Aaron <aaron1 at gvtc.com>
> *Cc:* Chris Jones <ipv6freely at gmail.com>; Juniper-Nsp <
> juniper-nsp at puck.nether.net>
>
> *Subject:* Re: [j-nsp] protect ssh and telnet
>
>
>
> Hi Aaron,
>
>
>
> Below is commit script which is building dynamic prefix list (containing
> local IPv4 addresses) you could reference in FTF:
>
>
>
> krasi# show system scripts commit
>
> allow-transients;
>
> file ifl-addr-v4.slax;
>
>
>
>
>
>
>
>
>
> krasi# run file show /var/db/scripts/commit/ifl-addr-v4.slax
>
> version 1.0;
>
>
>
> ns junos = "http://xml.juniper.net/junos/*/junos";
>
> ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
>
> ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
>
>
>
> import "../import/junos.xsl";
>
>
>
> match configuration {
>
>     <transient-change> {
>
>         <policy-options> {
>
>             <prefix-list replace="replace"> {
>
>                 <name> "ifl-addr-v4";
>
>                   for-each (interfaces/interface/unit/family/inet/address)
> {
>
>                             var $address = substring-before(name, "/");
>
>                             <prefix-list-item> {
>
>                               <name> $address;
>
>                            }
>
>                   }
>
>              }
>
>          }
>
>      }
>
> }
>
>
>
>
>
>
>
> krasi# show policy-options |display inheritance |display commit-scripts
>
> prefix-list ifl-addr-v4 {
>
>     1.1.1.1/32;
>
>     10.10.111.1/32;
>
> }
>
>
>
>
>
> krasi# set interfaces xe-0/0/0 unit 0 family inet address 2.2.2.2/30
>
>
>
> [edit]
>
> root# commit
>
> commit complete
>
>
>
> [edit]
>
> root# show policy-options |display inheritance |display commit-scripts
>
> prefix-list ifl-addr-v4 {
>
>     1.1.1.1/32;
>
>     2.2.2.2/32;
>
>     10.10.111.1/32;
>
>  }
>
>
>
>
>
> Best Regards,
>
> Krasi
>
>
>
> On 13 April 2016 at 23:43, Aaron <aaron1 at gvtc.com> wrote:
>
> Thanks Chris, but apparently the Juniper ACX5048 is an exception to the
> lo0 rule…  see link
>
>
>
> http://kb.juniper.net/InfoCenter/index?page=content <
> http://kb.juniper.net/InfoCenter/index?page=content&id=KB28893&actp=search&viewlocale=en_US&searchid=1305252358192>
> &id=KB28893&actp=search&viewlocale=en_US&searchid=1305252358192
>
>
>
> I’ve been able to accomplish protecting telnet/ssh on my ACX5048 like this…
>
>
>
> set routing-instances one forwarding-options family inet filter input
> protect-5048
>
> set firewall family inet filter protect-5048 term 1 from
> destination-address 1.1.1.1/32
>
> set firewall family inet filter protect-5048 term 1 from protocol tcp
>
> set firewall family inet filter protect-5048 term 1 from destination-port
> telnet
>
> set firewall family inet filter protect-5048 term 1 from destination-port
> ssh
>
> set firewall family inet filter protect-5048 term 1 then count
> protect-5048-counter
>
> set firewall family inet filter protect-5048 term 1 then discard
>
> set firewall family inet filter protect-5048 term 2 then accept
>
>
>
> 1.1.1.0/24 is a subnet on an interface in vrf “one” on my acx5048…
>
>
>
> The only thing is that I will need to make it a policy with my colleagues
> that if/when we churn public address space or add new interfaces on our
> acx5048’s, part of the process will be to add a line to our firewall acl…
>
>
>
> set firewall family inet filter protect-5048 term 1 from
> destination-address 1.1.2.1/32
>
> set firewall family inet filter protect-5048 term 1 from
> destination-address 1.1.3.1/32
>
> etc
>
>
>
> QUESTION – does anyone know how to make this firewall acl or include a
> confition or policy somehow to apply the firewall policy to ONLY LOCAL
> ROUTES (/32’s) ?  that would be nice , so that I would never have to
> add/subtract specific ip addresses in this firewall policy.
>
>
>
> Aaron
>
>
>
>
>
>
>
> From: Chris Jones [mailto:ipv6freely at gmail.com]
> Sent: Wednesday, April 13, 2016 10:05 AM
> To: Aaron <aaron1 at gvtc.com>
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] protect ssh and telnet
>
>
>
> To answer OPs actual question:
>
>
>
> What you're looking for is an RE filter, applied to lo0. A great resource
> explaining them and some best practices, etc. check out Doug Hank's Day One
> book:
> http://www.juniper.net/us/en/training/jnbooks/day-one/fundamentals-series/securing-routing-engine/
>
>
>
> On Tue, Mar 29, 2016 at 10:26 PM, Aaron <aaron1 at gvtc.com <mailto:
> aaron1 at gvtc.com> > wrote:
>
> I'm new to Juniper. and I'm looking to protect ssh/telnet on all interfaces
> on my juniper ACX5048's.
>
>
>
> In Cisco you can protect the virtual interface (vty) with a acl
> (access-class) so that any remote login attempts (ssh or telnet) or
> protected.
>
>
>
> How do I protect ssh and telnet globally in Junos ?  I only want to allow
> ssh and telnet from certain trusted management subnets.
>
>
>
> Aaron
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net <mailto:
> juniper-nsp at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
>
>
>
>
> --
>
> Chris Jones
> JNCIE-ENT #272
> CCIE# 25655 (R&S)
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>


More information about the juniper-nsp mailing list