Hi all,
It's my first time posting in Juniper community hope I choose the correct words to describe my issue. I work for an enterprise ISP, recently we installed a Juniper Router ACX2200 and we have the following issues:
Firewall filters can't be applied on a loopback interface as in older versions of JUNOS. We have to apply the filters to the L3 interfaces we want to protect.
https://supportportal.juniper.net/s/article/ACX-Firewall-filter-applying-to-loopback-interface-not-supported-on-ACX?language=en_US
We used those filters on the loopback interface to protect remote access to the router and other protocols as BGP or VRRP for example. Here an example of the filters we applied in older versions:
lo0 {
unit 0 {
family inet {
filter {
input protect-RE;
}
address 127.0.0.1/32;
}
}
}
-> firewall filter protect-RE:
term accept_telnet {
from {
source-address {
X.X.X.X/32;
}
protocol tcp;
destination-port telnet;
}
then accept;
}
... more filters
term discard-rest {
then {
log;
syslog;
discard;
}
}
Now if I apply this filter above on my routers client on the L3 interface every think will be rejected through the router. So I worked it this way around:
family inet {
filter protect-RE {
term accept-telnet {
from {
source-address {
myNetworkIp/32;
}
destination-address {
myInterfacesIp/32;
}
protocol tcp;
destination-port telnet;
}
then accept;
}
term deny-telnet {
from {
source-address {
0.0.0.0/0;
}
destination-address {
myInterfacesIp/32;
}
protocol tcp;
destination-port telnet;
}
then {
reject;
}
}
term accept-ssh {
from {
source-address {
myNetworkIp/32;
}
destination-address {
myInterfacesIp/32;
}
protocol tcp;
destination-port ssh;
}
then accept;
}
term deny-ssh {
from {
source-address {
0.0.0.0/0;
}
destination-address {
myInterfacesIp/32;
}
protocol tcp;
destination-port ssh;
}
then {
reject;
}
}
term accept-rest {
then {
log;
syslog;
accept;
}
}
}
}
Problem is I still have people trying to login on the router:
Aug 31 05:10:36.778 2023 W.11.15065.26-primary login: Login attempt for user root from host 223.8.200.190
Aug 31 05:10:37.215 2023 W.11.15065.26-primary login[14666]: LOGIN_PAM_AUTHENTICATION_ERROR: Failed password for user root
Aug 31 05:10:37.222 2023 W.11.15065.26-primary login[14666]: LOGIN_FAILED: Login failed for user root from host 223.8.200.190
Aug 31 05:10:37.735 2023 W.11.15065.26-primary login[14666]: Login attempt for user root from host 223.8.200.190
Aug 31 05:10:38.275 2023 W.11.15065.26-primary login[14666]: LOGIN_PAM_AUTHENTICATION_ERROR: Failed password for user root
Aug 31 05:10:38.282 2023 W.11.15065.26-primary login[14666]: LOGIN_FAILED: Login failed for user root from host 223.8.200.190
Aug 31 05:10:43.526 2023 W.11.15065.26-primary login[14666]: Login attempt for user root from host 223.8.200.190
Aug 31 05:10:44.068 2023 W.11.15065.26-primary login[14666]: LOGIN_PAM_AUTHENTICATION_ERROR: Failed password for user root
Aug 31 05:10:44.075 2023 W.11.15065.26-primary login[14666]: LOGIN_FAILED: Login failed for user root from host 223.8.200.190
Aug 31 05:10:44.077 2023 W.11.15065.26-primary login[14666]: LOGIN_ATTEMPTS_THRESHOLD: Threshold for unsuccessful authentication attempts (3) reached by user 'root'
Aug 31 05:10:44.078 2023 W.11.15065.26-primary login[14666]: 3 LOGIN FAILURES FROM 223.8.200.190
Aug 31 05:10:44.080 2023 W.11.15065.26-primary login[14666]: 3 LOGIN FAILURES FROM 223.8.200.190, root
Aug 31 05:10:57.581 2023 W.11.15065.26-primary login: Login attempt for user admin from host 223.8.200.190
Aug 31 05:10:58.017 2023 W.11.15065.26-primary login[14668]: LOGIN_PAM_AUTHENTICATION_ERROR: Failed password for user admin
Aug 31 05:10:58.025 2023 W.11.15065.26-primary login[14668]: LOGIN_FAILED: Login failed for user admin from host 223.8.200.190
If I try to access via telnet or ssh to the router I can't it is protected and I don't see any log of my try. Can someone tell me which other protocol this guys can be using to try login on the router?
Hope you understand my issue.
Best Regards,
Diogo Figueiredo
------------------------------
DIOGO BALTAZAR
------------------------------