Intrusion Prevention

  • 1.  Limiting interfaces that SSH is allowed

    Posted 09-06-2016 02:46

    Hi,

     

    We are using MX series for our Core-outward facing nodes. What I would like to achieve is only allow SSH access to a singular IP address. I understand that we could use firewall filter to stop SSH and apply to all interfaces, but if we are talking about multiple nodes, it is ... well ... time consuming 🙂 (as Im sure you understand), and also not great for best-practice.

     

    Is there a global command that I am missing that would assist in this issue?

    Reason we want to achieve this is that the node is getting hammered with SSH requests for root access, and woud like to firstly limit the requests by what IP addresses are available for them to request upon.

     

    Any help appreciated

     

    Chris



  • 2.  RE: Limiting interfaces that SSH is allowed

     
    Posted 09-06-2016 04:10

    Hi, 

     

    A firewall filter can be applied on the loopback interface to protect the RE and filter ssh traffic [both in and out]. Please check: DayOne - Securing-routing-engine

     

    Cheers,

    Ashvin



  • 3.  RE: Limiting interfaces that SSH is allowed

     
    Posted 09-06-2016 04:31

    Hi,

     

    You could also check

     

    https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/DOS_prevention.pdf

     

    Regards,

    Anand



  • 4.  RE: Limiting interfaces that SSH is allowed

    Posted 09-14-2016 03:14

    Thanks for your comments.

    On the MX all IP's for each interface are public, and I am able to SSH to each IP.

     

    set policy-options prefix-list dos-ssh-protect X.X.X.X/32
    set policy-options prefix-list dos-ssh-protect XXXX::X/128

     

    ....all IP's associated with MX....


    set firewall family inet filter DOS-Protect term deny-ssh-protect from port ssh destination-address prefix-list dos-ssh-protect
    set firewall family inet filter DOS-Protect term deny-ssh-protect then discard
    set firewall family inet filter DOS-Protect then accept

    set interface X family inet filter input DOS-Protect

     

    ....all interfaces with public IP associated with MX....

     

    ><><><><>><><><><><><><><><><><><><><><><><><>

     

    Would you class the above as best practice?



  • 5.  RE: Limiting interfaces that SSH is allowed

     
    Posted 09-14-2016 09:04

    Hi, 

    You could also use apply-paths to dynamically populate the prefix-list with interface IP addresses:

    set policy-options prefix-list dos-ssh-protect apply-path "interfaces <*> unit <*> family inet address <10.0.*>"
    set policy-options prefix-list dos-ssh-protect-v6 apply-path "interfaces <*> unit <*> family inet6 address <2001:xxxx:*>"

    You could also filter IP ranges. In this example 10.0.* accepting only 10.0.x.x.

    For IPv6 traffic, a separate family inet6 filter would be required.

     

    To restrict ssh and other legitimate protocols, I believe the standard practice is to apply filters on lo0 interface securing the routing-engine.  This might be less cumbersome than applying filters on each ingress interface if that filter is protecting that device only.

     

    Cheers,

    Ashvin