Routing

Expand all | Collapse all

forcing access to junos device

Jump to Best Answer
  • 1.  forcing access to junos device

     
    Posted 04-19-2020 23:14

    hi,

    There is a number of unauthorize attempts to the Juniper device. 

    mx>show log messages | match LOGIN_FAILED 

    ....

    .......

    There are the following KBs but these for srx, how about ex/qfx and mx?

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB21265

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB28968

    Any workaround or best practice?

    Thx

    A

     



  • 2.  RE: forcing access to junos device

     
    Posted 04-19-2020 23:21

    Hi Arix

     

    For the qfx/mx device you can use the following method to avoid the ssh/telnet brute force attack. Please refer to the below document

     

    https://www.juniper.net/documentation/software/topics/task/configuration/authentication-login-attempts-ssh-telnet-limiting.pdf

     

    Hope this helps



  • 3.  RE: forcing access to junos device

     
    Posted 04-20-2020 02:21

    Hi,

    both KBs also apply to MX and I suppose to all other JUNOS platforms.

    Regards

    Ulf



  • 4.  RE: forcing access to junos device

     
    Posted 04-20-2020 04:08

    Thanks answers....

    When checking those juniper resources, a few questions are caming up...

    How can weird people(brute forcers) around the world know my junos devices' management ip addresses? The answer should be a ping sweep, shouldn't be?

    How can be hide/not propagate or not annnouced IP addresses that are using for only internal management purpose?

    How to verify this brute force attempts or requests are coming to which IP addresses on the Junos devices? I know there is no establishing but I need to know which destionation Ip address is being used by brute forcers?



  • 5.  RE: forcing access to junos device

    Posted 04-20-2020 09:12

    Hi,

     

    If your IP management using Public IP then its normal all arround the world know. So the to perevent is just using lo0 filter such as KB mention.

     

    Thanks



  • 6.  RE: forcing access to junos device

     
    Posted 04-20-2020 16:46

    Hi,

    I just checked my tracert to google. In the path we can see lo0 interface with its ip address. Probably lo0 is a router-id or probably it is being using for dynamic routing protocol. So if the Firewall Filter is not applied to this Lo0 interface, will my SSH attemp to this lo0 show a SSH_LOGIN_FAILED in the their message log? If the FF is applied, what might be seen?  

     

     

    >tracert 8.8.4.4
    
    Tracing route to dns.google [8.8.4.4]
    over a maximum of 30 hops:
    
      1     1 ms    <1 ms    <1 ms  Bilolight [10.10.10.1]
      2    17 ms    16 ms    26 ms  lo0.rras2.sig11.on.ni.net [155.102.32.130]
      3    19 ms    19 ms    39 ms  l01.tr2.sig10.on.ni.net [155.102.35.175]
      4    30 ms    32 ms    37 ms  be41.tr2.sig11.on.ni.net [155.102.34.41]
      5    28 ms    31 ms    43 ms  be45.tr3.sgt2.on.ni.net [155.102.33.36]
      6    28 ms    29 ms    30 ms  be51.t3.sgt7.on.ni.net [155.102.40.201]
      7    36 ms    30 ms    53 ms  gw.google.com [155.102.199.234]
      8    30 ms    42 ms    30 ms  108.170.247.33
      9    30 ms    34 ms    28 ms  209.85.253.177
     10    39 ms    29 ms    29 ms  dns.google [8.8.4.4]
    
    Trace complete.

     

     

     

    Other things....The Junos device mx has multiple interfaces and multiple lo(X) logical interfaces. Each traffic on the each interfaces is different as expected.

    In windows we can determine which incoming source addresses to which destination address with netstat -a etc.

    In Junos cli (including shell) what is the equivalent of windows command of netstat -ona 2 | find "x.x.x.x" | find "22" regartless what interfces might be.?

     

     



  • 7.  RE: forcing access to junos device

     
    Posted 04-22-2020 07:25

    any reply?



  • 8.  RE: forcing access to junos device
    Best Answer

     
    Posted 04-22-2020 21:23

    Hi Arix

     

    When you apply the firewall filter for the lo0 interface you apply the filter on the physical interface. So it doesnt matter if there are multiple logical unit associated the filter will work for all the traffic which are attempted towards the lo0.

    If you want to find out the source and destination ip address from the brute force attack you may use the "log" option in the firewall filter along with count to determine the source of the brute force attack. However i am not sure if "log" option on loopback works on all the junos devices.

     

    Also when the firewall filter is applied to the lo0 you may not see the SSH_FAILED attempt as it will be dropped before it hits the cpu.



  • 9.  RE: forcing access to junos device

     
    Posted 04-23-2020 22:12

    Hi Arix,

     

    If my answer resolved your queries then please mark it as "accepted solution" so that it can benefit others in the community.