Routing

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
  • 1.  SSH arriving on ephemeral ports on MX80, above 10000 -- ssh block filters not effective.

    Posted 08-31-2020 12:52

    Anyone else seeing log messages of late where SSH attempts are being received on NON ssh ports somehow? Only a full port block to the router's interfaces are effective:

     

     rtredge-[98208]: Failed password for [some name]from [multiple IP addresses] port [above 10000] ssh2

     

    Is there a new vulnerability for SSH for MX80s? Running 17.3 r3.10, using grp-apply firewall filters.


    #MX80SSH


  • 2.  RE: SSH arriving on ephemeral ports on MX80, above 10000 -- ssh block filters not effective.
    Best Answer

     
    Posted 08-31-2020 21:33

    That’s the source port, not destination. You probably need to look at your ssh filter again.



  • 3.  RE: SSH arriving on ephemeral ports on MX80, above 10000 -- ssh block filters not effective.

     
    Posted 08-31-2020 22:42

    Hi CuddlyVampire,

     

    Greetings,

     

    The massive failed SSH Login attempts looks like unauthorized attempts to gain SSH access to device.

     

    Please mark "Accepted Solution" if this helps you solve your query. Kudos are always appreciated.

     

    Thanks 

    Suraj



  • 4.  RE: SSH arriving on ephemeral ports on MX80, above 10000 -- ssh block filters not effective.

     
    Posted 08-31-2020 22:45

    Hi  CuddlyVampire,

     

    On ACX/MX/EX PPC based Series platforms, the commit error might occur and the firewall filters might not be applied to the interfaces when the firewall policer action is set with "forwarding-class".

     

    This issue might be seen if the following conditions are met:
    * On ACX/MX/EX PPC based Series platforms
    * Configuring firewall policer action with "forwarding-class"

     

    The issue is Resolved-In
    junos:17.3R3-S7 junos:17.4R3 junos:18.1R3-S8 junos:18.2R3-S2 junos:18.3R3 junos:18.4R2-S2 junos:18.4R3 junos:19.1R2 junos:19.2R2 junos:19.3R1 junos:19.3R2 junos:19.4R1 junos:20.1R1

     

    Please let me know if you have other concerns

     

    Please mark "Accepted Solution" if this helps you solve your query. Kudos are always appreciated.

     

    Thanks

    Suraj



  • 5.  RE: SSH arriving on ephemeral ports on MX80, above 10000 -- ssh block filters not effective.

    Posted 11-17-2020 03:14
    Edited by wqmeng 11-17-2020 03:14
    Hello CuddlyVampire

    Do you resolve this matter?  I also can not totally block the SSH login attempt in my route.  Which each the CPU much.

    I running  Junos: 17.4R3.16

    > show system processes extensive | match ssh | count
    Count: 151 lines

    I have add the filter on the lo0 interface of this route, still not effective.
    I also changed the SSH port to be over 10000,  but NOT work too.

    Thank you.



  • 6.  RE: SSH arriving on ephemeral ports on MX80, above 10000 -- ssh block filters not effective.

    Posted 11-17-2020 03:20
    show system connections - will show you used ports. 
    If netconf enabled in system , it will use port 830 (be default), and also will be displayed as ssh in processes

    ------------------------------
    Anatoliy
    ------------------------------



  • 7.  RE: SSH arriving on ephemeral ports on MX80, above 10000 -- ssh block filters not effective.

    Posted 11-17-2020 09:46
    Edited by wqmeng 11-17-2020 09:47
    Hi akushner

    After I use your command the result to me surprise that there are many many connection to 830 port in this router from outside source and to many gateway IPs of the VLans setting up in this system.

    Then I blocked the 830 port from outside, which immediately reduce the CPU usage to be normal.

    You save my life.

    Thank you so much.