SRX

last person joined: 12 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Juniper ports scan

    Posted 02-20-2020 02:48

    We have number of SRX routers that have flagged up issues with port scan was done via nmap. Number of TCP and UDP ports were showing as open so I would like to know what ports out of box come open on these SRXs. Is there any command to check which ports are open (not which services are using ports) out of box when these SRX's are intiially configured. Rather than using : show system connections | no-more which lists services opening ports?

     

    Secondly we tried below template to lock them down however still ports like ntp, snmp are showing as allowed. I know we only allowed ssh for a specific IPs but what would be the best approach to lock these units down to specific ssh port only. Also we use BGP on these units too so will TCP 179 needs unblocking too.

     

     

    set firewall family inet filter local_inbound term allow_admin_ssh from source-prefix-list admin_ssh_clients
    set firewall family inet filter local_inbound term allow_admin_ssh from protocol tcp
    set firewall family inet filter local_inbound term allow_admin_ssh from destination-port 22

     

    set interfaces lo0 unit 0 family inet filter input local_inbound

     

    set policy-options prefix-list admin_ssh_clients out office IP/32
    set policy-options prefix-list admin_ssh_clients CPE WAN IP range /31

     

    set firewall family inet filter local_inbound term block_other_telnet from protocol tcp
    set firewall family inet filter local_inbound term block_other_telnet from destination-port 23
    set firewall family inet filter local_inbound term block_other_telnet then discard
    set firewall family inet filter local_inbound term allow_admin_ssh from source-prefix-list admin_ssh_clients
    set firewall family inet filter local_inbound term allow_admin_ssh from protocol tcp
    set firewall family inet filter local_inbound term allow_admin_ssh from destination-port 22
    set firewall family inet filter local_inbound term block_other_ssh from protocol tcp
    set firewall family inet filter local_inbound term block_other_ssh from destination-port 22
    set firewall family inet filter local_inbound term block_other_ssh then discard
    set firewall family inet filter local_inbound term accept then accept

     

    Nmap port scan has flagged up following with TCP scan but we know number of UDP ports are also OPEN.

     

    Not shown: 64737 filtered ports, 794 closed ports
    PORT STATE SERVICE VERSION
    22/tcp open ssh OpenSSH 6.6.1 (protocol 2.0)
    | ssh-hostkey:

    179/tcp open bgp (connection rejected)
    2000/tcp open cisco-sccp?
    5060/tcp open tcpwrapped

     

     

     

     



  • 2.  RE: Juniper ports scan

    Posted 02-20-2020 03:07

    Check out the free Juniper book Hardening Junos Devices.

     

    https://www.juniper.net/documentation/en_US/day-one-books/TW_HardeningJunosDevices_2ndEd.zip

     

    This walks through how to setup the restrictions you are looking for.

     



  • 3.  RE: Juniper ports scan

    Posted 02-20-2020 03:27

    Thanks for your reply.

     

    Are you saying we will have to individually close these ports by writing number of commands for each service? will this not be a lengthly and time consuming process?



  • 4.  RE: Juniper ports scan

    Posted 02-20-2020 06:34

    Simon,

     

    I dont think there is a command for confirming the open ports but this you have already performed with the port scan test anyways.

    Note the firewall filters have an implicit deny action at the end of the term-chain so you only need to specify the ports and the addresses you want to allow, the rest will be blocked by default:

     

    https://www.juniper.net/documentation/en_US/junos/topics/concept/firewall-filter-ex-series-evaluation-understanding.html

     

    Hope this helps you.

     



  • 5.  RE: Juniper ports scan

    Posted 02-21-2020 02:02

    Hello

     

    The box has no port listening by default if you do not activate the feature (ssh, https, BGP, ospf...) and flag it on the zone or interface.

    Examples :

    set security zones security-zone untrust host-inbound-traffic system-services ping
    set security zones security-zone untrust interfaces ae1.1 host-inbound-traffic system-services ping
    set security zones security-zone untrust interfaces ae1.1 host-inbound-traffic system-services ssh
    set security zones security-zone untrust interfaces ae1.1 host-inbound-traffic system-services https
    set security zones security-zone untrust interfaces ae1.1 host-inbound-traffic system-services snmp
    set security zones security-zone untrust interfaces ae1.1 host-inbound-traffic system-services snmp-trap

     

    If you scan devices behind the firewall then this is the normal behavior with feature TCP SYN flood screening protection activated.

    The port is NOT really opened. The traffic does not cross the firewall.

     

    If too much TCP SYN are received on the SRX to the same destination, the SRX begins to act as a proxy by answering with SYN-ACK.

    See figure : https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-network-dos-attack.html#id-90993

     

    Then it wait to receive the final ACK from the source. If it is not received then it might be a SYN flood attack.

     

    Please verify your settings :  show security screen ids-option <screen-name>

    You can also see if match occured : show security screen statistics zone <zone>

     

    Regards



  • 6.  RE: Juniper ports scan

    Posted 03-31-2020 13:45

     Hi Simon

     

    Were you able to resolve the situation?