[j-nsp] how to disconnect/kill tcp session from juniper router

Alexander Arseniev arseniev at btinternet.com
Thu Nov 24 06:07:45 EST 2016 

Hello,

Someone is brute-forcing Your router password, and that is very common 
nowadays. Good loopback filter would prevent this.

In addition:

1/ You can only do "request system logout" for sessions that passed 
authentication+login+got TTY assigned. If You see "unsuccessful login" 
it means this session did not get past authentication. Unautheticated 
sessions got disconnected after 3 wrong password attempts, or 120 secs 
if there is no data flowing (from memory)

2/ Best practice is not to allow telnet at all. Use SSH instead. To 
disable telnet, make sure You do NOT have the "telnet" line under 
"[system services]" stanza.

3/ Also, You should be using:

3a/ loopback filter allowing SSH from trusted source IPs only. If You 
manage router via internet, and must keep remote access to it open to 
ANYONE that's not a good practice at all.

3b/ SSH public key authentication instead of password

3c/ backoff timer to fire after 3-5 unsuccessful login tries

3d/ inactivity timer to close hanging SSH sessions - to make sure You 
are not locked out of the router access because all TTYs are taken.

Thanks

Alex


On 21/11/2016 21:29, Aaron wrote:
> I have an unauthorized telnet session attached to my router but it does not
> show up under "show system users" and they have not successfully logged so
> it doesn't seem that I can do the "request system logout.." thing
>
>   
>
> I do however so unsuccessful login attempts in syslog
>
>   
>
> How do I kill/disconnect this tcp session ?
>
>   
>
> me at j1> show system connections | grep ".23 "
>
> tcp4       0      0  109.109.109.109.23
> 181.181.181.181.55436                          ESTABLISHED
>
> tcp4       0      0  *.23                                          *.*
> LISTEN
>
> tcp4       0      0  *.6023                                        *.*
> LISTEN
>
> tcp4       0      0  *.6023                                        *.*
> LISTEN
>
> udp4       0      0  128.0.0.1.123                                 *.*
>
> udp4       0      0  *.123                                         *.*
>
> udp4       0      0  *.6123                                        *.*
>
> udp4       0      0  *.6123                                        *.*
>
>   
>
>   
>
> {master:0}
>
> me at j1> show system processes | grep "PID|telnet"
>
>    PID  TT  STAT      TIME COMMAND
>
> 70193  ??  Is     0:00.00 telnetd
>
>   
>
>   
>
> {master:0}
>
> me at j1> start shell
>
> % ps -awwux | grep telnet
>
> root   70193  0.0  0.1  2128  1396  ??  Is    1:34PM   0:00.00 telnetd
>
> remote 70971  0.0  0.0   480   296  p5  R+    3:19PM   0:00.00 grep telnet
>
> %
>
>   
>
> - Aaron
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list