Junos OS

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  SRX100 12.1-X46-Dxx Beaten Up by SSH login attempts. How to stop them?

    Posted 10-21-2021 12:13
    I'm in the US.  We have a SRX100 in the UK, that is getting beaten up with SSH login attempts.  It's used as a IPSec tunnel back to our DC.  Since these are older and no longer supported, all the while we're trying to get it funded for replacement, I need a method that will deny these attempts from causing performance issues and syslogs from rolling over every hour or two.  I'm relatively new with these, so my initial attempt was using the  set system login retry-options commands.  Lots of lockouts, but the hits keep on coming.

    Talked to someone about firewall filters, but have not written one that is successful as of yet.  Info I've found on the Juniper KB site is written more for still supported devices.

    Anyone have these in place still, and have configured them to ward off the SSH deluge?  Appreciate the help.


  • 2.  RE: SRX100 12.1-X46-Dxx Beaten Up by SSH login attempts. How to stop them?

     
    Posted 10-21-2021 20:20
    Where are the ssh attempts from and to on the SRX?

    Hopefully you don't need ssh access open to internet facing interfaces.  so the process could be as simple as removing ssh as an allowed option for host inbound traffic on the internet zone.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: SRX100 12.1-X46-Dxx Beaten Up by SSH login attempts. How to stop them?

    Posted 10-22-2021 14:47
    Since its a small remote office,  the only way we can get to it is with SSH.   Telnet is turned off.  Is there a way to use a customized port number with SSH, so only that could access the interface?


  • 4.  RE: SRX100 12.1-X46-Dxx Beaten Up by SSH login attempts. How to stop them?

     
    Posted 10-22-2021 16:26
    You mention an ipsec tunnel connecting the SRX to your office.  You could enable ssh on the private interfaces in the internal zones.

    And turn off ssh access to the internet facing zone and interfaces.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 5.  RE: SRX100 12.1-X46-Dxx Beaten Up by SSH login attempts. How to stop them?

    Posted 10-26-2021 05:40
    Know the KB that shows how to do that correctly ?  Thanks


  • 6.  RE: SRX100 12.1-X46-Dxx Beaten Up by SSH login attempts. How to stop them?

    Posted 10-23-2021 08:55
    I experienced around 2 weeks ago. There was a large spike of annoying attempts from many different IPs from multiple providers. Normally I'd get less than a handful of attempts per hour, but this was different: 20 attempts in quick succession by multiple IPs. Before I would block a subnet but it became too cumbersome. Instead of default allow and deny these subnets, I just default deny and only allow subnets I trust. I've always sent syslog to a remote server.

    I've disabled the logs for deny but kept counter information and am monitoring the OID. Attempts seemed to have tapered off significantly a week ago.

    For trusted SSH subnets the logs are still enabled.


    ------------------------------
    KEN LUI
    ------------------------------