SRX

Expand all | Collapse all

How to Stop Our Public Interface from attempted logins ?

Jump to Best Answer
  • 1.  How to Stop Our Public Interface from attempted logins ?

    Posted 12-19-2019 16:27

    We are using a SRX345 as a public facing Internet router.  As would be expected, we have new unknown friends from all over trying to login into our new device.  We have used the login offset commands in place:

    set system login retry-options tries-before-disconnect 3
    set system login retry-options backoff-threshold 3
    set system login retry-options backoff-factor 10
    set system login retry-options lockout-period 20

    The SSH root login deny command.

    But we still she some interesting users names, besides root and admin in our log messages.

    Is there a better way to limit the attention to our new interface ?

     

    Thanks

     

     

     



  • 2.  RE: How to Stop Our Public Interface from attempted logins ?

    Posted 12-19-2019 16:48
    Apply firewall filter to public facing interface or lo0 interface to block/filter login attack from internet


  • 3.  RE: How to Stop Our Public Interface from attempted logins ?
    Best Answer

     
    Posted 12-19-2019 23:57

    There is no mechanism in JunOS to change the port number of SSH protocol, hence possibilities are that in a situation like this; one may receive a large number of brute force attacks on port 22. Even then we have a mechanism to stop such attempts by the below-known methods.

     

    Create a filter to be applied to the loopback interface to stop SSH logins from public-facing Internet router. First thing is to list the trusted IP addresses that will be allowed to access the device and then create prefix-list under policy-options.

     

    [edit policy-options]

    root@SRX240# edit prefix-list Trusted_IP_Address

    [edit policy-options prefix-list Trusted_IP_Address]

    root@SRX240# set 111.11.1.1/32

    [edit policy-options prefix-list Trusted_IP_Address]

    root@SRX240# set 22.2.2.2/32

    [edit policy-options prefix-list Trusted_IP_Address]

    root@SRX240# set 33.3.3.3/32

     

    Next is to create a firewall filter. We will create a firewall filter named sshFilter. The first term name will be Trusted_SSH_Login that will hold trusted IP addresses.

     

    [edit firewall family inet filter sshFilter]

    root@SRX240# edit term Trusted_SSH_Login

    [edit firewall family inet filter sshFilter term Trusted_SSH_Login]

    root@SRX240# set from source-prefix-list Trusted_IP_Address except

    [edit firewall family inet filter sshFilter term Trusted_SSH_Login]

    root@SRX240# set from protocol tcp

    [edit firewall family inet filter sshFilter term Trusted_SSH_Login]

    root@SRX240# set from destination-port ssh

    [edit firewall family inet filter sshFilter term Trusted_SSH_Login]

    root@SRX240# set then discard

    Now, don’t forget to add one last term to allow everything else unless you want to lock yourself out.

     

    [edit firewall family inet filter sshFilter term Allow_Everything_Else]

    root@SRX240# set then accept

     

    You can view the firewall filter by typing “show” command under [edit firewall family inet filter sshFilter] hierarchy,

     

    [edit firewall family inet filter sshFilter]

    root@SRX210# show

    term Trusted_SSH_Login {

    from {

    source-prefix-list {

    Trusted_IP_Address except;

    }

    protocol tcp;

    destination-port ssh;

    }

    then discard;

    }

    }

    term Allow_Everything_Else{

    then accept;

    }

    Now apply the firewall filter to loopback (lo0) interface in inbound direction.

     

    [edit]

    root@SRX210# set interfaces lo0 unit 0 family inet filter input sshFilter

    Firewall filters will block the attack at the very edge level. In JunOS the packet is first analyzed by filters and sent to other paths in the packet flow process.

    ---------------------------------------------------------------------------------------------------------------------------------

    There is another way to control login attempts in Juniper devices which is by limiting the number of failed attempts and some threshold parameters. This configuration is applied to all user’s attempting to login. The configuration is done in [edit system login retry-options] hierarchy.

     

    [edit system login retry-options]

    user@host# set tries-before-disconnect 10 {This is the no. of times that a user is allowed to try password}

    user@host# set backoff-threshold 2 {This is no. of password failures before delay is in effect}

    user@host# set backoff-factor 5 {After backoff-threshold is in effect the user is blocked for 5 seconds}

    user@host# set minimum-time 20 {As user gets prompt to enter user/pass, he/she has 20 seconds to enter it}

     

    --------------------------------------------------------------------------------------------------------------------------------

    Accept as Solution = cool ! (Will help other community members with similar queries to be redirected here)
    Accept as Solution+Kudo = You are a Star !

    --------------------------------------------------------------------------------------------------------------------------------

    //Nex



  • 4.  RE: How to Stop Our Public Interface from attempted logins ?

    Posted 04-02-2020 13:00

    Appreciate the feedback.  Hope you are all safe and taken caring of yourself and those you love.



  • 5.  RE: How to Stop Our Public Interface from attempted logins ?

     
    Posted 12-20-2019 05:46

    I'd recommend that you read the Juniper Day One book for hardening JUNOS devices. This is very useful to secure devices which are connected to the public internet. You can find the free PDF here:

     

    https://forums.juniper.net/t5/Day-One-Books/NEW-This-Week-Hardening-Junos-Devices-Second-Edition/ba-p/117366