Routing

hi,

There is a number of unauthorize attempts to the Juniper device. 

mx>show log messages | match LOGIN_FAILED 

....

.......

There are the following KBs but these for srx, how about ex/qfx and mx?

https://kb.juniper.net/InfoCenter/index?page=content&id=KB21265

https://kb.juniper.net/InfoCenter/index?page=content&id=KB28968

Any workaround or best practice?

Thx

A

Hi Arix

For the qfx/mx device you can use the following method to avoid the ssh/telnet brute force attack. Please refer to the below document

https://www.juniper.net/documentation/software/topics/task/configuration/authentication-login-attempts-ssh-telnet-limiting.pdf

Hope this helps

Hi,

both KBs also apply to MX and I suppose to all other JUNOS platforms.

Regards

Ulf

Thanks answers....

When checking those juniper resources, a few questions are caming up...

How can weird people(brute forcers) around the world know my junos devices' management ip addresses? The answer should be a ping sweep, shouldn't be?

How can be hide/not propagate or not annnouced IP addresses that are using for only internal management purpose?

How to verify this brute force attempts or requests are coming to which IP addresses on the Junos devices? I know there is no establishing but I need to know which destionation Ip address is being used by brute forcers?

Hi,

If your IP management using Public IP then its normal all arround the world know. So the to perevent is just using lo0 filter such as KB mention.

Thanks

Hi,

I just checked my tracert to google. In the path we can see lo0 interface with its ip address. Probably lo0 is a router-id or probably it is being using for dynamic routing protocol. So if the Firewall Filter is not applied to this Lo0 interface, will my SSH attemp to this lo0 show a SSH_LOGIN_FAILED in the their message log? If the FF is applied, what might be seen?  

>tracert 8.8.4.4

Tracing route to dns.google [8.8.4.4]
over a maximum of 30 hops:

  1     1 ms    <1 ms    <1 ms  Bilolight [10.10.10.1]
  2    17 ms    16 ms    26 ms  lo0.rras2.sig11.on.ni.net [155.102.32.130]
  3    19 ms    19 ms    39 ms  l01.tr2.sig10.on.ni.net [155.102.35.175]
  4    30 ms    32 ms    37 ms  be41.tr2.sig11.on.ni.net [155.102.34.41]
  5    28 ms    31 ms    43 ms  be45.tr3.sgt2.on.ni.net [155.102.33.36]
  6    28 ms    29 ms    30 ms  be51.t3.sgt7.on.ni.net [155.102.40.201]
  7    36 ms    30 ms    53 ms  gw.google.com [155.102.199.234]
  8    30 ms    42 ms    30 ms  108.170.247.33
  9    30 ms    34 ms    28 ms  209.85.253.177
 10    39 ms    29 ms    29 ms  dns.google [8.8.4.4]

Trace complete.

Other things....The Junos device mx has multiple interfaces and multiple lo(X) logical interfaces. Each traffic on the each interfaces is different as expected.

In windows we can determine which incoming source addresses to which destination address with netstat -a etc.

In Junos cli (including shell) what is the equivalent of windows command of netstat -ona 2 | find "x.x.x.x" | find "22" regartless what interfces might be.?

any reply?

Hi Arix

When you apply the firewall filter for the lo0 interface you apply the filter on the physical interface. So it doesnt matter if there are multiple logical unit associated the filter will work for all the traffic which are attempted towards the lo0.

If you want to find out the source and destination ip address from the brute force attack you may use the "log" option in the firewall filter along with count to determine the source of the brute force attack. However i am not sure if "log" option on loopback works on all the junos devices.

Also when the firewall filter is applied to the lo0 you may not see the SSH_FAILED attempt as it will be dropped before it hits the cpu.

Hi Arix,

If my answer resolved your queries then please mark it as "accepted solution" so that it can benefit others in the community.