Junos OS

Expand all | Collapse all

Filter SSH access in interfaces and BGP neighbors

Jump to Best Answer
  • 1.  Filter SSH access in interfaces and BGP neighbors

    Posted 02-10-2015 23:51

    Hi, i would like to do 2 filters in my Juniper M10i

     

    1) Permit SSH only from two ranges: I have several interfaces in this FW with publics and private addressing. I would like to restrict the SSH access to 1 public range and 1 Private range. There is any way to create a "general" filter in order to permit only this 2 ranges without applying in the interfaces?????? or i should apply this filter in all my interfaces?????

     

    set firewall family inet filter local_acl term terminal_access from address 192.168.1.0/24
    set firewall family inet filter local_acl term terminal_access from address 13.16.2.0/24
    set firewall family inet filter local_acl term terminal_access from protocol tcp
    set firewall family inet filter local_acl term terminal_access from port ssh
    set firewall family inet filter local_acl term terminal_access then accept
    set firewall family inet filter local_acl term terminal_access_denied from protocol tcp
    set firewall family inet filter local_acl term terminal_access_denied from port ssh
    set firewall family inet filter local_acl term terminal_access_denied from port telnet
    set firewall family inet filter local_acl term terminal_access_denied then log
    set firewall family inet filter local_acl term terminal_access_denied then reject
    set firewall family inet filter local_acl term default-term then accept


    set interfaces ALL THE INTERFACES (ONE BY ONE) unit 0 family inet filter input local_acl

     

     

     

    2) BGP only from my known neighbours: I want to receive bgp from my neighbours.

     

     

    set firewall filter bgp-filter term regla_bgp1 from 4x.1x.1x2.7 
    set firewall filter bgp-filter term regla_bgp2 from 4x.1x.1x2.7
    set firewall filter bgp-filter term regla_bgp3 from 4x.1x.1x2.6
    set firewall filter bgp-filter term regla_bgp4 from protocol tcp
    set firewall filter bgp-filter term regla_bgp5 from port bgp
    set firewall filter bgp-filter term default then accept

     

     

    [edit interfaces ge-0/0/3.0 unit 0 family inet]    (interfaz to bgp)
    filter {
    input bgp-filter;

     

    ------------------------------------

     

    Please let me know if this filter would work for what i want and if there is another easier way to do it????



  • 2.  RE: Filter SSH access in interfaces and BGP neighbors

     
    Posted 02-11-2015 00:00

    For 1, you need to apply the filter on loopback interface. In this way, it doesn't matter from which interface the traffic is coming because it will be blocked anyway by the filter from the loopback interface.

     

    For 2, the better way is to use apply-path feature to match all your BGP neighbors.

     

    You can find an example here:

     

    http://nextheader.net/2014/11/21/apply-path-and-apply-flags-omit-on-junos/

     

    You should combine these two filters in one single filter with multiple terms and apply it on loopback interface.




    =====

    If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.



  • 3.  RE: Filter SSH access in interfaces and BGP neighbors

    Posted 02-11-2015 02:27

    I prefer to configure each filter in each interface. Im not very confortable doing terms and filter, its easier in 2 separates

     

    So this commands Would work???? 

    should be quit family inet in SSH filter

     

    set firewall ¿family inet? filter local_acl term terminal_access from address 192.168.1.0/24
    set firewall family inet filter local_acl term terminal_access from address 13.16.2.0/24
    set firewall family inet filter local_acl term terminal_access from protocol tcp
    set firewall family inet filter local_acl term terminal_access from port ssh
    set firewall family inet filter local_acl term terminal_access then accept
    set firewall family inet filter local_acl term terminal_access_denied from protocol tcp
    set firewall family inet filter local_acl term terminal_access_denied from port ssh
    set firewall family inet filter local_acl term terminal_access_denied from port telnet
    set firewall family inet filter local_acl term terminal_access_denied then log
    set firewall family inet filter local_acl term terminal_access_denied then reject
    set firewall family inet filter local_acl term default-term then accept   (IS THIS LINE CORRECT????)

     

    set interfaces lo0 unit 0 family inet filter input local_acl

    --------------------------------


    set firewall filter bgp-filter term regla_bgp1 from 4x.1x.1x2.7
    set firewall filter bgp-filter term regla_bgp2 from 4x.1x.1x2.7
    set firewall filter bgp-filter term regla_bgp3 from 4x.1x.1x2.6
    set firewall filter bgp-filter term regla_bgp4 from protocol tcp
    set firewall filter bgp-filter term regla_bgp5 from port bgp
    set firewall filter bgp-filter term default then accept


    [edit interfaces ge-0/0/3.0 unit 0 family inet] 
    filter {
    input bgp-filter;

     

     

     

     

     

     

    thanks alot



  • 4.  RE: Filter SSH access in interfaces and BGP neighbors

     
    Posted 02-11-2015 02:53

    I strongly recommend you take parau's (and just about everyone else who worked with Junipers for many years) advice and use the loopback filter only.  There is no need to configure a per-interface filter, it's easier to troubleshoot, and it's more secure.

     

    Your filter example will allow SSH from those subnets, deny SSH from anywhere else, but also allow *any* other traffic to your RE, which is not very secure.  SSH is not the only protocol by which someone can attack your router.  This is why the RE needs a solid firewall filter applied to it:

     

    http://www.juniper.net/as/en/training/jnbooks/day-one/fundamentals-series/securing-routing-engine/

     

    Your second filter does nothing - it allows BGP from those IP addresses, but also allows everything as the default action.  The apply-path feature is also the easiest method to ensure that only your configured BGP neighbors (or any other type of 'neighbor' or 'adjacency') can communicate with your router's RE. 



  • 5.  RE: Filter SSH access in interfaces and BGP neighbors

    Posted 02-11-2015 04:00

    i saw this web http://www.dummies.com/how-to/content/how-to-protect-the-junos-routing-engine.html

    i only wanna filter ssh access to administer the FW in all its interaces with source ips and BGP neigbors.

     

    I put my config following the manuals....... i dont understand at all the last sentence (then).... chec pleas if this commands would be OK. im a bit scared of losing connectivity to the device and doing it in remote. thanks

     

     

    [edit firewall-filter protect-routing-engine]
    set term ssh-filter from 192.168.1.0/24
    set term ssh-filter from 13.16.2.0/24
    set term ssh-filter from protocol tcp
    set term ssh-filter from destination-port ssh
    set term ssh-filter then accept
    set term discard-the-rest then reject

     

    --------------------

     

    CLI FOR BGP FILTER

     

    set policy-options prefix-list aa apply-path "protocols bgp group <*> neighbor <*>"

     

    [edit firewall-filter protect-routing-engine]

    set term bgp-filter from prefix-list bgp-peers

    set term bgp-filter1 then accept 

    set term bgp-filter2 then OTHER then reject

     

    -------------

    APPLY BOTH FILTERS

     

    set lo0 unit 0 family inet filter input protect-routing-engine

     



  • 6.  RE: Filter SSH access in interfaces and BGP neighbors

     
    Posted 02-11-2015 06:00

    First off, you don't have to be afraid to commit any configuration if you use "commit confirmed <time>".  That command will allow you to put a number of minutes in before the commit is rolled back to the previous configuration if the config is not committed again within that time period (https://www.juniper.net/techpubs/en_US/junos10.3/topics/task/configuration/junos-cli-configuration-activating-after-confirming.html). 

     

    Second, if you are concerned about traffic rates and DoS/DDoS traffic hitting your routing engine, I would not use the 'reject' action - reject will send an ICMP 'port unreachable' back to the source IP which adds to the load and overall problem.  I always use 'discard', which silently drops the packet.

     

    Third, remember that this filter is applied to the loopback, which means it handles ALL traffic to the RE.  SSH is not the only traffic you want to see hit your loopback.  For instance, this is a sample of what I might allow on my routers in the loopback filter:

     

    tcp-established traffic

    SNMP

    NTP

    DNS

    BGP

    traceroute ports

    LDP

    RSVP

    VRRP

    ICMP echo-request/echo-response

     

    Then we would 'discard' and log all other traffic.

     

    If, in fact, all you wanted was to allow BGP and SSH, this is how you could construct your filter:

     

    set policy-options prefix-list aa apply-path "protocols bgp group <*> neighbor <*>"
    
    set term ssh-filter from 192.168.1.0/24
    set term ssh-filter from 13.16.2.0/24
    set term ssh-filter from protocol tcp
    set term ssh-filter from destination-port ssh
    set term ssh-filter then accept
    set term bgp-filter from prefix-list bgp-peers
    set term bgp-filter from protocol tcp
    set term bgp-filter from port bgp
    set term bgp-filter then accept
    set term discard-the-rest then discard

    Again, this is a rule that ONLY allows the above traffic and nothing else.  You need to make sure that you don't have other protocols or services running on your router.  One way you can check and see what is currently running is to look at the system connections (in operational mode, not config mode):

     

    show system connections

    Doing so will help you understand what else is currently running on the router and build a good RE protection filter from that information.

     

    And, as I said, don't forget to use the 'commit confirmed 2' command, which will roll back the configuration automatically if the config is not committed again within 2 minutes.  You can set the '2' to any time period you like, such as '5' minutes or '1' minute.  Just remember to commit the configuration before the timer runs out if you are satisfied your change are working.

     



  • 7.  RE: Filter SSH access in interfaces and BGP neighbors

    Posted 02-11-2015 22:37

    evt thank you so much for your response........i thought to do commit "request system reboot at time (in minutes)".... i didnt know about this "commit confirmed".....thanks

     

    A question.......if i use the filter only permitting ssh and bgp, and there is a connecting from untrust to inside my netowrk to a windows server using RDP protocol this connection would be allowed or the filter only would permit SSH AND BGP connections in all my interfaces??????? im not sure if this only apply in the RE or in all the connections.

     

    So i only want to permit SSH from several ips and BGP from neighbours, there isnt anty way easier???? I think you mean that i should create a very long filter with all the protocols allowed. But in reality i only wanna permit SSH to access to the rouer (NO FTP NO TELNET) and BGP only from neighbors configured).

     

    i attached the system connections.....i wanna permit all the other ports (less ftp to access to the router and telnet, the other ports have to be opened)

     

    Proto Recv-Q Send-Q Local Address Foreign Addre ss (state)
    tcp4 0 0 4x.x5.1xx.xx.22 1xxxx.1xxx .57307 ESTABLISHED
    tcp4 0 0 4x.xx.1xx.x.22 1x.x.xxxx6 .45254 ESTABLISHED
    tcp4 0 0 4x.x5.1xx.1.22 xxxxxxx .45682 ESTABLISHED
    tcp4 0 52 xxxx 22 xxxx 427 ESTABLISHED
    tcp4 0 0 x 23 xxxxxxx 1.49324 ESTABLISHED
    tcp4 0 0 *.22 *.* LISTEN
    tcp4 0 0 4xx.xx.1xx.1.179 xx.x.xx                9385 ESTABLISHED
    tcp4 0 0 x.xx.1xx.1.179 xx.xx.112.3.6        0476 ESTABLISHED
    tcp4 0 0 xxxx.1xx.1.56457 4xxx.2.1             79 ESTABLISHED
    tcp46 0 0 *.179 *.* LISTEN
    tcp4 0 0 *.179 *.* LISTEN
    tcp4 0 0 xxx.0.0.1.6985 xxx.0.1.17.26626 ESTABLISHED
    tcp4 0 0 xxx.0.0.1.6234 xxx.0.1.17.26625 ESTABLISHED
    tcp4 0 0 xxxx.0.0.1.7000 xxx.0.1.17.26624 ESTABLISHED
    tcp4 0 0 xxx.0.0.1.6985 xxx.0.1.16.7170 ESTABLISHED
    tcp4 0 0 xxx.0.0.1.6234 xx.0.1.16.7169 ESTABLISHED
    tcp4 0 0 xxx.0.0.1.7000 xx.0.1.16.7168 ESTABLISHED
    tcp4 0 0 xxx.0.0.1.6021 xxx.0.0.2.53249 ESTABLISHED
    tcp4 0 0 xxx.0.0.1.6234 xxx.0.0.2.53250 ESTABLISHED
    tcp4 0 0 xxx.0.0.1.6011 xxx.0.0.2.53252 ESTABLISHED
    tcp4 0 0 xxx.0.0.4.9000 xxx.0.0.4.49356 ESTABLISHED
    tcp4 0 0 xxx.0.0.4.49356 1xx.0.0.4.9000 ESTABLISHED
    tcp4 0 0 xxx.0.0.4.9000 xxx.0.0.4.63421 ESTABLISHED
    tcp4 0 0xxx.0.0.4.63421 xx.0.0.4.9000 ESTABLISHED
    tcp4 0 0 xxx.0.0.4.9000 1xxx.0.0.4.61844 ESTABLISHED
    tcp4 0 0 xxx.0.0.4.61844 1xx.0.0.4.9000 ESTABLISHED
    tcp4 0 0 *.6985 *.* LISTEN
    tcp4 0 0 *.6988 *.* LISTEN
    tcp4 0 0 *.9000 *.* LISTEN
    tcp4 0 0 *.6161 *.* LISTEN
    tcp4 0 0 *.6171 *.* LISTEN
    tcp4 0 0 *.6156 *.* LISTEN
    tcp4 0 0 *.51627 *.* LISTEN
    tcp4 0 0 *.6151 *.* LISTEN
    tcp4 0 0 *.32003 *.* LISTEN
    tcp4 0 0 *.31343 *.* LISTEN
    tcp4 0 0 *.31341 *.* LISTEN
    tcp4 0 0 *.6152 *.* LISTEN
    tcp4 0 0 *.666 *.* LISTEN
    tcp4 0 0 *.7000 *.* LISTEN
    tcp4 0 0 *.6021 *.* LISTEN
    tcp4 0 0 *.38 *.* LISTEN
    tcp4 0 0 *.10798 *.* LISTEN
    tcp4 0 0 *.6011 *.* LISTEN
    tcp4 0 0 *.23 *.* LISTEN
    tcp4 0 0 *.21 *.* LISTEN
    tcp4 0 0 *.514 *.* LISTEN
    tcp4 0 0 *.513 *.* LISTEN
    tcp4 0 0 *.6234 *.* LISTEN
    udp46 0 0 *.514 *.*
    udp4 0 0 *.514 *.*
    udp46 0 0 *.63015 *.*
    udp4 0 0 *.58700 *.*
    udp4 0 0 *.31342 *.*
    udp46 0 0 *.161 *.*
    udp4 0 0 *.161 *.*
    udp4 0 0 *.6123 *.*
    udp4 0 0 *.6123 *.*
    udp4 0 0 *.49153 *.*
    udp4 0 0 *.3503 *.*
    udp4 0 0 *.31340 *.*
    udp4 0 0 *.31340 *.*
    udp46 0 0 *.49152 *.*
    udp46 0 0 *.4784 *.*
    udp46 0 0 *.3784 *.*
    udp4 0 0 *.49152 *.*
    udp4 0 0 *.4784 *.*
    udp4 0 0 *.3784 *.*
    udp4 0 0 *.6333 *.*
    ip4 0 0 *.* *.*
    ip4 0 0 *.* *.*
    ip4 0 0 *.* *.*
    ip4 0 0 *.* *.*
    ip4 0 0 *.* *.*
    ip4 0 0 *.* *.*



  • 8.  RE: Filter SSH access in interfaces and BGP neighbors
    Best Answer

     
    Posted 02-12-2015 02:27

    The loopback filter is used to only protect the router's routing engine. It does nothing for transit traffic to devices behind or in front of your router. As such, it only makes sense to allow those ports and services that are currently running on your router. The filter example I gave you earlier should give you a good start. Just add terms to allow other services if you need them. You can combine multiple services into a single term if they have the same protocol (TCP or UDP). It looks like all you might want to add are telnet, ftp, and snmp. 

     

    The Day One book I linked should explain all of this.