Junos OS

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  SRX 345 Firewall Filter to Stop Brute Force SSH Abuse

    Posted 05-05-2022 05:38
    We have a couple of SRX345's as Internet routers, that are being bombed with SSH login attempts.  We have root-deny configured, and the old login attempt retry-options commands, but the hits keep on coming and fill the logs.  I've tried this filter, but it doesnt seem to work.  What am I missing:

    set policy-options prefix-list ALLOWED-HOSTS 1.2.3.1/32
    set policy-options prefix-list ALLOWED-HOSTS 2.2.3.1/32
    set policy-options prefix-list ALLOWED-HOSTS 3.2.3.100/32
    set firewall family inet filter ALLOWED-SSH term SSH from source-prefix-list ALLOWED-HOSTS except
    set firewall family inet filter ALLOWED-SSH term SSH from destination-port ssh
    set firewall family inet filter ALLOWED-SSH term SSH from protocol tcp
    set firewall family inet filter ALLOWED-SSH term SSH then accept
    set firewall family inet filter ALLOWED-SSH term BLOCK-SSH from destination-port ssh
    set firewall family inet filter ALLOWED-SSH term BLOCK-SSH from protocol tcp
    set firewall family inet filter ALLOWED-SSH term BLOCK-SSH then discard
    set firewall family inet filter ALLOWED-SSH term ACCEPT-ALL then accept
    set interfaces lo0 unit 0 family inet filter input ALLOWED-SSH

    Thanks


  • 2.  RE: SRX 345 Firewall Filter to Stop Brute Force SSH Abuse

     
    Posted 05-05-2022 09:57
    You''re negating the allowed hosts list with the except keyword and letting the opposite through. You want 'set firewall family inet filter ALLOWED-SSH term SSH from source-prefix-list ALLOWED-HOSTS'


  • 3.  RE: SRX 345 Firewall Filter to Stop Brute Force SSH Abuse

    Posted 05-06-2022 08:24
    Hi ,

    Try this config

    set policy-options prefix-list ALLOWED-HOSTS 1.2.3.1/32
    set policy-options prefix-list ALLOWED-HOSTS 2.2.3.1/32
    set policy-options prefix-list ALLOWED-HOSTS 3.2.3.100/32

    set firewall family inet filter ALLOWED-SSH term SSH from source-prefix-list ALLOWED-HOSTS
    set firewall family inet filter ALLOWED-SSH term SSH from destination-port ssh
    set firewall family inet filter ALLOWED-SSH term SSH from protocol tcp
    set firewall family inet filter ALLOWED-SSH term SSH then policer RE-HIGH-POLICER
    set firewall family inet filter ALLOWED-SSH term SSH then count ssh-traffic
    set firewall family inet filter ALLOWED-SSH term SSH then accept

    set firewall policer RE-HIGH-POLICER if-exceeding bandwidth-limit 20m
    set firewall policer RE-HIGH-POLICER if-exceeding burst-size-limit 256k
    set firewall policer RE-HIGH-POLICER then discard


    set interfaces lo0 unit 0 family inet filter input ALLOWED-SSH

    ------------------------------
    DEMNA IMAD
    ------------------------------