[j-nsp] how to disconnect/kill tcp session from juniper router

Hugo Slabbert hugo at slabnet.com
Thu Nov 24 11:37:58 EST 2016 

Always a good reference:

http://www.team-cymru.org/templates.html
http://www.cymru.com/gillsr/documents/junos-template.pdf

-- 
Hugo Slabbert       | email, xmpp/jabber: hugo at slabnet.com
pgp key: B178313E   | also on Signal

On Thu 2016-Nov-24 11:07:45 +0000, Alexander Arseniev <arseniev at btinternet.com> wrote:

>Hello,
>
>Someone is brute-forcing Your router password, and that is very 
>common nowadays. Good loopback filter would prevent this.
>
>In addition:
>
>1/ You can only do "request system logout" for sessions that passed 
>authentication+login+got TTY assigned. If You see "unsuccessful 
>login" it means this session did not get past authentication. 
>Unautheticated sessions got disconnected after 3 wrong password 
>attempts, or 120 secs if there is no data flowing (from memory)
>
>2/ Best practice is not to allow telnet at all. Use SSH instead. To 
>disable telnet, make sure You do NOT have the "telnet" line under 
>"[system services]" stanza.
>
>3/ Also, You should be using:
>
>3a/ loopback filter allowing SSH from trusted source IPs only. If You 
>manage router via internet, and must keep remote access to it open to 
>ANYONE that's not a good practice at all.
>
>3b/ SSH public key authentication instead of password
>
>3c/ backoff timer to fire after 3-5 unsuccessful login tries
>
>3d/ inactivity timer to close hanging SSH sessions - to make sure You 
>are not locked out of the router access because all TTYs are taken.
>
>Thanks
>
>Alex
>
>
>On 21/11/2016 21:29, Aaron wrote:
>>I have an unauthorized telnet session attached to my router but it does not
>>show up under "show system users" and they have not successfully logged so
>>it doesn't seem that I can do the "request system logout.." thing
>>
>>
>>I do however so unsuccessful login attempts in syslog
>>
>>
>>How do I kill/disconnect this tcp session ?
>>
>>
>>me at j1> show system connections | grep ".23 "
>>
>>tcp4       0      0  109.109.109.109.23
>>181.181.181.181.55436                          ESTABLISHED
>>
>>tcp4       0      0  *.23                                          *.*
>>LISTEN
>>
>>tcp4       0      0  *.6023                                        *.*
>>LISTEN
>>
>>tcp4       0      0  *.6023                                        *.*
>>LISTEN
>>
>>udp4       0      0  128.0.0.1.123                                 *.*
>>
>>udp4       0      0  *.123                                         *.*
>>
>>udp4       0      0  *.6123                                        *.*
>>
>>udp4       0      0  *.6123                                        *.*
>>
>>
>>
>>{master:0}
>>
>>me at j1> show system processes | grep "PID|telnet"
>>
>>   PID  TT  STAT      TIME COMMAND
>>
>>70193  ??  Is     0:00.00 telnetd
>>
>>
>>
>>{master:0}
>>
>>me at j1> start shell
>>
>>% ps -awwux | grep telnet
>>
>>root   70193  0.0  0.1  2128  1396  ??  Is    1:34PM   0:00.00 telnetd
>>
>>remote 70971  0.0  0.0   480   296  p5  R+    3:19PM   0:00.00 grep telnet
>>
>>%
>>
>>
>>- Aaron
>>
>>_______________________________________________
>>juniper-nsp mailing list juniper-nsp at puck.nether.net
>>https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>_______________________________________________
>juniper-nsp mailing list juniper-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/juniper-nsp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20161124/b069c31e/attachment.sig>

More information about the juniper-nsp mailing list