SRX

Expand all | Collapse all

SSHD_LOGIN_FAILED

  • 1.  SSHD_LOGIN_FAILED

    Posted 01-21-2021 21:43
    Recently seeing log messages filled with sshd: SSHD_LOGIN_FAILED: Login failed for user 'admin' from host 'xx.xx.xx.xx and its keeps on repeating, looks likes a bruteforce attempts 

    Jan 21 21:17:34 IPFW01 sshd[78906]: (pam_sm_authenticate): DEBUG: Updating lock-attempts of user: root attempts: 114
    Jan 21 21:17:34 IPFW01 sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '121.4.33.51'
    Jan 21 21:17:34 IPFW01 sshd[78906]: Failed password for root from 121.4.33.51 port 38624 ssh2
    Jan 21 21:17:34 IPFW01 sshd[78906]: Received disconnect from 121.4.33.51: 11: Bye Bye [preauth]
    Jan 21 21:17:34 IPFW01 sshd[78906]: Disconnected from 121.4.33.51 [preauth]
    Jan 21 21:17:45 IPFW01 sshd[78910]: (pam_sm_authenticate): DEBUG: PAM_ACTUAL_USER: root
    Jan 21 21:17:45 IPFW01 sshd[78910]: (pam_sm_authenticate): DEBUG: PAM_USER: root
    Jan 21 21:17:45 IPFW01 sshd[78910]: (pam_sm_authenticate): DEBUG: Updating lock-attempts of user: root attempts: 115
    Jan 21 21:17:45 IPFW01 sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '191.186.80.43'
    Jan 21 21:17:45 IPFW01 sshd[78910]: Failed password for root from 191.186.80.43 port 36702 ssh2
    Jan 21 21:17:46 IPFW01 sshd[78910]: Received disconnect from 191.186.80.43: 11: Bye Bye [preauth]
    Jan 21 21:17:46 IPFW01 sshd[78910]: Disconnected from 191.186.80.43 [preauth]
    Jan 21 21:17:49 IPFW01 sshd[78912]: (pam_sm_authenticate): DEBUG: PAM_ACTUAL_USER: temp1
    Jan 21 21:17:49 IPFW01 sshd[78912]: (pam_sm_authenticate): DEBUG: PAM_USER: temp1
    Jan 21 21:17:49 IPFW01 sshd[78912]: (pam_sm_authenticate): DEBUG: Updating lock-attempts of user: temp1 attempts: 5
    Jan 21 21:17:49 IPFW01 sshd: SSHD_LOGIN_FAILED: Login failed for user 'temp1' from host '103.26.124.95'
    Jan 21 21:17:49 IPFW01 sshd[78912]: Failed password for temp1 from 103.26.124.95 port 59966 ssh2
    Jan 21 21:17:49 IPFW01 sshd[78912]: Received disconnect from 103.26.124.95: 11: Bye Bye [preauth]

    However i have configured filter Allowed-ip to allow SSH from specific ip's only  and retry options with following configurations

    set firewall family inet filter Allowed-ip term 0 from source-address 10.0.0.0/8
    set firewall family inet filter Allowed-ip term 0 from source-address 192.95.20.208/32
    set firewall family inet filter Allowed-ip term 0 from source-address 78.46.194.186/32
    set firewall family inet filter Allowed-ip term 0 from source-address 10.1.255.1/32
    set firewall family inet filter Allowed-ip term 0 from source-address 10.100.0.50/32
    set firewall family inet filter Allowed-ip term 0 from destination-port ssh
    set firewall family inet filter Allowed-ip term 0 then accept
    set firewall family inet filter Allowed-ip term 1 from source-address 0.0.0.0/0
    set firewall family inet filter Allowed-ip term 1 from destination-port ssh
    set firewall family inet filter Allowed-ip term 1 then discard
    set firewall family inet filter Allowed-ip term 2 then accept

    retry-options {
    tries-before-disconnect 5;
    backoff-threshold 3;
    backoff-factor 5;
    maximum-time 20;

    But i still see bruteforce attempts being recorded in SRX log. How are they even hitting the SRX ? When using SSH clients from any other ip address not listed in the allowed list  credential dialouge box does not even pop up.

    ------------------------------
    ANKUR
    ------------------------------


  • 2.  RE: SSHD_LOGIN_FAILED

     
    Posted 01-22-2021 04:10
    Hi,
    do you use routing-instances? If so please mind the "iI you configure filter A ..." statements from Configuring Logical Units on the Loopback Interface for Routing Instances in Layer 3 VPNs - TechLibrary - Juniper Networks .
    Regards
    Ulf


  • 3.  RE: SSHD_LOGIN_FAILED

     
    Posted 01-22-2021 05:37
    The filter looks correct, what interface did you apply the filter? 
    It must be on the lo0.0 to affect all inbound traffic.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 4.  RE: SSHD_LOGIN_FAILED

    Posted 01-22-2021 10:05
    The filter is on lo0
    set interfaces lo0 unit 0 family inet filter input Allowed-ip

    I added  connection  and rate limit to ssh that has reduced the hits but its still ongoing

    set system services ssh connection-limit 3
    set system services ssh rate-limit 10

    What's strange is if my IP is not in the allowed list and i try to SSH i cannot even get to the login prompt but these Bad Actors using bruteforce tools are able to hit the srx with dictionary credentials and these are recorded by SRX.


    ------------------------------
    ANKUR
    ------------------------------



  • 5.  RE: SSHD_LOGIN_FAILED

    Posted 01-25-2021 09:49
    Netconf was enabled that was allowing ssh connections to the SRX , disabled it and ssh bruteforce stopped.

    ------------------------------
    ANKUR
    ------------------------------



  • 6.  RE: SSHD_LOGIN_FAILED

     
    Posted 01-26-2021 17:23
    Thanks for the update, this was driving me crazy.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------