Junos OS

 View Only
last person joined: yesterday 

Ask questions and share experiences about Junos OS.
  • 1.  Login attempts on ACX2200 with JUNOS 21.2R3.8

    Posted 09-01-2023 09:07

    Hi all,

    It's my first time posting in Juniper community hope I choose the correct words to describe my issue. I work for an enterprise ISP, recently we installed a Juniper Router ACX2200 and we have the following issues:

    Firewall filters can't be applied on a loopback interface as in older versions of JUNOS. We have to apply the filters to the L3 interfaces we want to protect.

    https://supportportal.juniper.net/s/article/ACX-Firewall-filter-applying-to-loopback-interface-not-supported-on-ACX?language=en_US

    We used those filters on the loopback interface to protect remote access to the router and other protocols as BGP or VRRP for example. Here an example of the filters we applied in older versions:

    lo0 {
        unit 0 {
            family inet {
                filter {
                    input protect-RE;
                }
                address 127.0.0.1/32;
            }
        }
    }

    -> firewall filter protect-RE:

    term accept_telnet {
        from {
            source-address {
                X.X.X.X/32;
            }
            protocol tcp;
            destination-port telnet;
        }
        then accept;
    }

    ... more filters

    term discard-rest {
        then {
            log;
            syslog;
            discard;
        }
    }

    Now if I apply this filter above on my routers client on the L3 interface every think will be rejected through the router. So I worked it this way around:

    family inet {
        filter protect-RE {
            term accept-telnet {
                from {
                    source-address {
                        myNetworkIp/32;
                    }
                    destination-address {
                        myInterfacesIp/32;
                    }
                    protocol tcp;
                    destination-port telnet;
                }
                then accept;
            }
            term deny-telnet {
                from {
                    source-address {
                        0.0.0.0/0;
                    }
                    destination-address {
                        myInterfacesIp/32;
                    }
                    protocol tcp;
                    destination-port telnet;
                }
                then {
                    reject;
                }
            }
            term accept-ssh {
                from {
                    source-address {
                        myNetworkIp/32;
                    }
                    destination-address {
                        myInterfacesIp/32;
                    }
                    protocol tcp;
                    destination-port ssh;
                }
                then accept;
            }
            term deny-ssh {
                from {
                    source-address {
                        0.0.0.0/0;
                    }
                    destination-address {
                        myInterfacesIp/32;
                    }
                    protocol tcp;
                    destination-port ssh;
                }
                then {
                    reject;
                }
            }

    term accept-rest {
                then {
                    log;
                    syslog;
                    accept;
                }
            }
        }
    }

    Problem is I still have people trying to login on the router:

    Aug 31 05:10:36.778 2023  W.11.15065.26-primary login: Login attempt for user root from host 223.8.200.190
    Aug 31 05:10:37.215 2023  W.11.15065.26-primary login[14666]: LOGIN_PAM_AUTHENTICATION_ERROR: Failed password for user root
    Aug 31 05:10:37.222 2023  W.11.15065.26-primary login[14666]: LOGIN_FAILED: Login failed for user root from host 223.8.200.190
    Aug 31 05:10:37.735 2023  W.11.15065.26-primary login[14666]: Login attempt for user root from host 223.8.200.190
    Aug 31 05:10:38.275 2023  W.11.15065.26-primary login[14666]: LOGIN_PAM_AUTHENTICATION_ERROR: Failed password for user root
    Aug 31 05:10:38.282 2023  W.11.15065.26-primary login[14666]: LOGIN_FAILED: Login failed for user root from host 223.8.200.190
    Aug 31 05:10:43.526 2023  W.11.15065.26-primary login[14666]: Login attempt for user root from host 223.8.200.190
    Aug 31 05:10:44.068 2023  W.11.15065.26-primary login[14666]: LOGIN_PAM_AUTHENTICATION_ERROR: Failed password for user root
    Aug 31 05:10:44.075 2023  W.11.15065.26-primary login[14666]: LOGIN_FAILED: Login failed for user root from host 223.8.200.190
    Aug 31 05:10:44.077 2023  W.11.15065.26-primary login[14666]: LOGIN_ATTEMPTS_THRESHOLD: Threshold for unsuccessful authentication attempts (3) reached by user 'root'
    Aug 31 05:10:44.078 2023  W.11.15065.26-primary login[14666]: 3 LOGIN FAILURES FROM 223.8.200.190
    Aug 31 05:10:44.080 2023  W.11.15065.26-primary login[14666]: 3 LOGIN FAILURES FROM 223.8.200.190, root
    Aug 31 05:10:57.581 2023  W.11.15065.26-primary login: Login attempt for user admin from host 223.8.200.190
    Aug 31 05:10:58.017 2023  W.11.15065.26-primary login[14668]: LOGIN_PAM_AUTHENTICATION_ERROR: Failed password for user admin
    Aug 31 05:10:58.025 2023  W.11.15065.26-primary login[14668]: LOGIN_FAILED: Login failed for user admin from host 223.8.200.190

    If I try to access via telnet or ssh to the router I can't it is protected and I don't see any log of my try. Can someone tell me which other protocol this guys can be using to try login on the router?

    Hope you understand my issue.

    Best Regards,

    Diogo Figueiredo



    ------------------------------
    DIOGO BALTAZAR
    ------------------------------


  • 2.  RE: Login attempts on ACX2200 with JUNOS 21.2R3.8

    This message was posted by a user wishing to remain anonymous
    Posted 09-01-2023 09:17
    This message was posted by a user wishing to remain anonymous

    Hi,

    Try to add a term that discard following dest ports and protocols:

    if some of them is needed, add a accept before.


    protocol [ udp tcp ];

    destination-port [ 7804 22 123 53 21 80 443 830 ]



  • 3.  RE: Login attempts on ACX2200 with JUNOS 21.2R3.8

    Posted 09-05-2023 08:51

    Hi all,

    I found my issue, my rules are working effectively. On this particular setup, VRRP is being used, on the primary router the VIP address is active and I forgot to add this address to my filter list. Added that and no more access from the exterior. All was easier when we could assign the filter list to the loopback interface.

    Thanks again,

    Best Regards

    Diogo



    ------------------------------
    DIOGO BALTAZAR
    ------------------------------