[j-nsp] how to disconnect/kill tcp session from juniper router

David Lockuan dlockuan at gmail.com
Thu Nov 24 11:59:56 EST 2016 

Hi Aaron,

When a telnet session is established, the process is not a telnetd dameon
after the process pass to cli process. You should be filter with grep
comand looking for "cli". Check my example:

***********************************************************
tecnologia at MX240-2_LAB-RE0> show system users
12:28PM  up 93 days,  1:45, 6 users, load averages: 0.16, 0.08, 0.02
USER     TTY      FROM                              LOGIN@  IDLE WHAT
tecnologia d0     -                                07Nov16 16days -cli
(cli)
tecnologia p1     10.10.0.240                      Wed04PM 19:26 -cli
(cli)
tecnologia p5     10.10.90.2                       26Oct16 28days -cli
(cli)
tecnologia pj     10.10.90.2                       12:28PM     - -cli
(cli)
tecnologia qi     10.10.0.240                      26Oct16 28days
telnet
tecnologia qn     10.10.0.240                      26Oct16 28days -cli
(cli)

{master}
tecnologia at MX240-2_LAB-RE0> start shell
%
% ps -aux | grep cli
tecnologia 90751  0.0  0.7 30400 24536  d0  S+    7Nov16   0:04.78 -cli
(cli)
tecnologia 67215  0.0  0.7 30384 24336  p1  S+    4:47PM   0:00.34 -cli
(cli)
tecnologia 86298  0.0  0.7 30400 24468  p5  S+   26Oct16   0:06.88 -cli
(cli)
tecnologia 83579  0.0  0.7 30376 24312  pj  S    12:28PM   0:00.09 -cli
(cli)
tecnologia 83599  0.0  0.0  2024   864  pj  R+   12:29PM   0:00.00 grep cli
tecnologia 86010  0.0  0.7 30412 24424  qi  I+   26Oct16   0:00.24 -cli
(cli)
tecnologia 86670  0.0  0.7 30408 24488  qn  S+   26Oct16   0:06.95 -cli
(cli)
% exit
exit
***********************************************************

If the session don't appear with the cli command "show system users", it is
probably the process is hang in the shell.

I hope to help you.

Regards,

---
David


On Thu, Nov 24, 2016 at 11:37 AM, Hugo Slabbert <hugo at slabnet.com> wrote:

> Always a good reference:
>
> http://www.team-cymru.org/templates.html
> http://www.cymru.com/gillsr/documents/junos-template.pdf
>
> --
> Hugo Slabbert       | email, xmpp/jabber: hugo at slabnet.com
> pgp key: B178313E   | also on Signal
>
>
> On Thu 2016-Nov-24 11:07:45 +0000, Alexander Arseniev <
> arseniev at btinternet.com> wrote:
>
> Hello,
>>
>> Someone is brute-forcing Your router password, and that is very common
>> nowadays. Good loopback filter would prevent this.
>>
>> In addition:
>>
>> 1/ You can only do "request system logout" for sessions that passed
>> authentication+login+got TTY assigned. If You see "unsuccessful login" it
>> means this session did not get past authentication. Unautheticated sessions
>> got disconnected after 3 wrong password attempts, or 120 secs if there is
>> no data flowing (from memory)
>>
>> 2/ Best practice is not to allow telnet at all. Use SSH instead. To
>> disable telnet, make sure You do NOT have the "telnet" line under "[system
>> services]" stanza.
>>
>> 3/ Also, You should be using:
>>
>> 3a/ loopback filter allowing SSH from trusted source IPs only. If You
>> manage router via internet, and must keep remote access to it open to
>> ANYONE that's not a good practice at all.
>>
>> 3b/ SSH public key authentication instead of password
>>
>> 3c/ backoff timer to fire after 3-5 unsuccessful login tries
>>
>> 3d/ inactivity timer to close hanging SSH sessions - to make sure You are
>> not locked out of the router access because all TTYs are taken.
>>
>> Thanks
>>
>> Alex
>>
>>
>> On 21/11/2016 21:29, Aaron wrote:
>>
>>> I have an unauthorized telnet session attached to my router but it does
>>> not
>>> show up under "show system users" and they have not successfully logged
>>> so
>>> it doesn't seem that I can do the "request system logout.." thing
>>>
>>>
>>> I do however so unsuccessful login attempts in syslog
>>>
>>>
>>> How do I kill/disconnect this tcp session ?
>>>
>>>
>>> me at j1> show system connections | grep ".23 "
>>>
>>> tcp4       0      0  109.109.109.109.23
>>> 181.181.181.181.55436                          ESTABLISHED
>>>
>>> tcp4       0      0  *.23                                          *.*
>>> LISTEN
>>>
>>> tcp4       0      0  *.6023                                        *.*
>>> LISTEN
>>>
>>> tcp4       0      0  *.6023                                        *.*
>>> LISTEN
>>>
>>> udp4       0      0  128.0.0.1.123                                 *.*
>>>
>>> udp4       0      0  *.123                                         *.*
>>>
>>> udp4       0      0  *.6123                                        *.*
>>>
>>> udp4       0      0  *.6123                                        *.*
>>>
>>>
>>>
>>> {master:0}
>>>
>>> me at j1> show system processes | grep "PID|telnet"
>>>
>>>   PID  TT  STAT      TIME COMMAND
>>>
>>> 70193  ??  Is     0:00.00 telnetd
>>>
>>>
>>>
>>> {master:0}
>>>
>>> me at j1> start shell
>>>
>>> % ps -awwux | grep telnet
>>>
>>> root   70193  0.0  0.1  2128  1396  ??  Is    1:34PM   0:00.00 telnetd
>>>
>>> remote 70971  0.0  0.0   480   296  p5  R+    3:19PM   0:00.00 grep
>>> telnet
>>>
>>> %
>>>
>>>
>>> - Aaron
>>>
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list