Screen OS

 View Only
last person joined: one year ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  Using address Groups in Policy to deny unwanted traffic

    Posted 10-08-2015 09:11

    As I peruse through logs in my webservers/ftp/and other public facing boxes, I see constant attempted logins (don't we all).   About once a month, I have taken those handful of those addresses and add them to a group I called Intrusion Protection and Intrusion Protection 2.  I maxed out the first with 32 addresses so I moved on to another group.

    My problem is for some reason it doesn't like the groups and allows the traffic anyway.   Usually, I am not able to catch someone in the process of hacking, so I assumed it was working.

    Here is my (partial)config for the rule and groups.  Can anyone see why it wouldn't work?  If I add the single address as a rule, (even though it's a /24) it denies, but not in the group.  I've check to see if the rule was shadowed, but it is at the top.  Also, usually in the GUI under policy elements you would see "in use" if the element is in a rule and applied.  I don't see that.  Hopefully it's something dumb I'm missing.  thanks in advance.

     

    set zone "Untrust" vrouter "trust-vr"
    set zone "DMZ" vrouter "trust-vr"

    set interface "ethernet0/0" zone "Untrust"
    set interface "ethernet0/1" zone "DMZ"

    set interface ethernet0/0 ip 206.181.xxx.123/xx
    set interface ethernet0/0 route
    set interface ethernet0/1 ip 10.1.2.1/24
    set interface ethernet0/1 nat

     

    set address "Untrust" "107.191.99.231/32" 107.191.99.231 255.255.255.255 "Hack"
    set address "Untrust" "109.64.143.74/32" 109.64.143.74 255.255.255.255
    set address "Untrust" "117.131.214.53/32" 117.131.214.53 255.255.255.255 "hack"
    set address "Untrust" "121.40.167.158/32" 121.40.167.158 255.255.255.255 "Hack"
    set address "Untrust" "122.225.243.194/32" 122.225.243.194 255.255.255.255 "hack"
    set address "Untrust" "125.65.165.215/32" 125.65.165.21 255.255.255.255 "Hack"
    set address "Untrust" "142.11.250.149/32" 142.11.250.149 255.255.255.255
    set address "Untrust" "144.0.0.35/24" 144.0.0.35 255.255.255.0 "Hack"
    set address "Untrust" "172.245.109.242/32" 172.245.109.242 255.255.255.255 "Hack"
    set address "Untrust" "173.13.31.229/32" 173.13.31.229 255.255.255.255 "Hack"
    set address "Untrust" "180.179.207.134" 180.179.207.134 255.255.255.255 "spam"
    set address "Untrust" "182.171.246.59/32" 182.171.246.59 255.255.255.255 "hack"
    set address "Untrust" "183.147.206.234/32" 183.147.206.234 255.255.255.255
    set address "Untrust" "184.105.247.251/32" 184.105.247.251 255.255.255.255 "Hack"
    set address "Untrust" "184.107.57.200/32" 184.107.57.200 255.255.255.255
    set address "Untrust" "188.40.84.70/32" 188.40.84.70 255.255.255.255
    set address "Untrust" "192.114.71.13" 192.114.71.13 255.255.255.255 "Hack"
    set address "Untrust" "192.246.130.102/32" 192.246.130.102 255.255.255.255
    set address "Untrust" "192.246.132.102/32" 192.246.132.102 255.255.255.255
    set address "Untrust" "194.250.92.54/24" 194.250.92.54 255.255.255.0 "spam"
    set address "Untrust" "199.103.62.185/32" 199.103.62.185 255.255.255.255 "hack"
    set address "Untrust" "199.204.243.108/32" 199.204.243.108 255.255.255.255 "Hack"
    set address "Untrust" "200.112.157.60/32" 200.112.157.60 255.255.255.255 "Hack"
    set address "Untrust" "200.123.47.98/32" 200.123.47.98 255.255.255.255
    set address "Untrust" "200.76.60.143/32" 200.76.60.143 255.255.255.255 "hack"
    set address "Untrust" "203.157.232.3/32" 203.157.232.3 255.255.255.255 "Hack"
    set address "Untrust" "206.169.168.178/32" 206.169.168.178 255.255.255.255
    set address "Untrust" "207.226.141.42" 207.226.141.42 255.255.255.255 "Scan"
    set address "Untrust" "207.226.141.42/32" 207.226.141.42 255.255.255.255 "hack"
    set address "Untrust" "208.71.174.46/32" 208.71.174.46 255.255.255.255 "spam"
    set address "Untrust" "209.12.107.2/32" 209.12.107.2 255.255.255.255
    set address "Untrust" "210.77.64.228/32" 210.77.64.228 255.255.255.255 "Hack"
    set address "Untrust" "216.218.206.67/32" 216.218.206.67 255.255.255.255 "Hack"
    set address "Untrust" "217.37.170.113" 217.37.170.113 255.255.255.255 "spam"
    set address "Untrust" "219.151.12.3/32" 219.151.12.3 255.255.255.255 "hack"
    set address "Untrust" "24.217.91.115/32" 24.217.91.115 255.255.255.255 "Hack"
    set address "Untrust" "27.38.41.129/32" 27.38.41.129 255.255.255.255 "spam"
    set address "Untrust" "27.38.41.92" 27.38.41.92 255.255.255.255 "Spam"
    set address "Untrust" "42.62.18.223/32" 42.62.18.223 255.255.255.255 "scan"
    set address "Untrust" "43.229.52.0/24" 43.229.52.0 255.255.255.0 "Hack"
    set address "Untrust" "43.229.52.135/32" 43.229.52.135 255.255.255.255 "Hack"
    set address "Untrust" "43.229.53.1/24" 43.229.53.1 255.255.255.0 "hack"
    set address "Untrust" "43.255.190.172/29" 43.255.190.172 255.255.255.248 "Hack"
    set address "Untrust" "46.234.125.75/32" 46.234.125.75 255.255.255.255 "hack"
    set address "Untrust" "54.148.154.28/32" 54.148.154.28 255.255.255.255 "Hack"
    set address "Untrust" "54.218.213.208/32" 54.218.213.208 255.255.255.255 "hack"
    set address "Untrust" "54.232.229.64/32" 54.232.229.64 255.255.255.255 "hack"
    set address "Untrust" "54.69.48.5/32" 54.69.48.5 255.255.255.255 "Hack"
    set address "Untrust" "58.218.213.208/32" 58.218.213.208 255.255.255.255 "hack"
    set address "Untrust" "60.173.10.67/32" 60.173.10.67 255.255.255.255 "Hack/Asia"
    set address "Untrust" "61.158.163.126/32" 61.158.163.126 255.255.255.255 "email"
    set address "Untrust" "61.19.247.226/24" 61.19.247.226 255.255.255.0 "spam"
    set address "Untrust" "66.203.50.180/32" 66.203.50.180 255.255.255.255 "Hack"
    set address "Untrust" "69.175.26.234/32" 69.175.26.234 255.255.255.255
    set address "Untrust" "69.28.82.191/32" 69.28.82.191 255.255.255.255 "Hack"
    set address "Untrust" "71.164.218.63/32" 71.164.218.63 255.255.255.255 "Hack"
    set address "Untrust" "71.63.64.8" 71.63.64.8 255.255.255.255 "Hack"
    set address "Untrust" "80.14.52.162/32" 80.14.52.162 255.255.255.255
    set address "Untrust" "80.82.78.2/32" 80.82.78.2 255.255.255.255 "Hack"
    set address "Untrust" "82.80.234.142" 82.80.234.142 255.255.255.255 "Hack"
    set address "Untrust" "82.80.244.57" 82.80.244.57 255.255.255.255 "Hack"
    set address "Untrust" "82.80.249.164" 82.80.249.164 255.255.255.255 "Hack"
    set address "Untrust" "85.195.109.195/32" 85.195.109.195 255.255.255.255 "spam"
    set address "Untrust" "90.85.99.58/32" 90.85.99.58 255.255.255.255 "Hack"
    set address "Untrust" "91.189.77.202/32" 91.189.77.202 255.255.255.255 "hack"
    set address "Untrust" "92.234.29.229/32" 92.234.29.229 255.255.255.255
    set address "Untrust" "93.174.93.119/32" 93.174.93.119 255.255.255.255 "Hack"
    set address "Untrust" "93.174.93.20/32" 93.174.93.20 255.255.255.255 "Hack"
    set address "Untrust" "94.102.50.56/32" 94.102.50.56 255.255.255.255 "hack"
    set address "Untrust" "95.61.182.248/32" 95.61.182.248 255.255.255.255
    set address "Untrust" "97.65.39.27/32" 97.65.39.27 255.255.255.255

     

    set group address "Untrust" "Intrusion Protection" comment "Hack"
    set group address "Untrust" "Intrusion Protection" add "107.191.99.231/32"
    set group address "Untrust" "Intrusion Protection" add "125.65.165.215/32"
    set group address "Untrust" "Intrusion Protection" add "144.0.0.35/24"
    set group address "Untrust" "Intrusion Protection" add "172.245.109.242/32"
    set group address "Untrust" "Intrusion Protection" add "173.13.31.229/32"
    set group address "Untrust" "Intrusion Protection" add "180.179.207.134"
    set group address "Untrust" "Intrusion Protection" add "184.105.247.251/32"
    set group address "Untrust" "Intrusion Protection" add "192.114.71.13"
    set group address "Untrust" "Intrusion Protection" add "194.250.92.54/24"
    set group address "Untrust" "Intrusion Protection" add "199.204.243.108/32"
    set group address "Untrust" "Intrusion Protection" add "200.112.157.60/32"
    set group address "Untrust" "Intrusion Protection" add "208.71.174.46/32"
    set group address "Untrust" "Intrusion Protection" add "210.77.64.228/32"
    set group address "Untrust" "Intrusion Protection" add "217.37.170.113"
    set group address "Untrust" "Intrusion Protection" add "24.217.91.115/32"
    set group address "Untrust" "Intrusion Protection" add "27.38.41.92"
    set group address "Untrust" "Intrusion Protection" add "54.148.154.28/32"
    set group address "Untrust" "Intrusion Protection" add "54.69.48.5/32"
    set group address "Untrust" "Intrusion Protection" add "60.173.10.67/32"
    set group address "Untrust" "Intrusion Protection" add "66.203.50.180/32"
    set group address "Untrust" "Intrusion Protection" add "69.28.82.191/32"
    set group address "Untrust" "Intrusion Protection" add "71.164.218.63/32"
    set group address "Untrust" "Intrusion Protection" add "71.63.64.8"
    set group address "Untrust" "Intrusion Protection" add "82.80.234.142"
    set group address "Untrust" "Intrusion Protection" add "82.80.244.57"
    set group address "Untrust" "Intrusion Protection" add "82.80.249.164"
    set group address "Untrust" "Intrusion Protection" add "85.195.109.195/32"
    set group address "Untrust" "Intrusion Protection" add "90.85.99.58/32"
    set group address "Untrust" "Intrusion Protection" add "93.174.93.119/32"
    set group address "Untrust" "Intrusion Protection" add "93.174.93.20/32"
    set group address "Untrust" "Intrusion Protection" add "95.61.182.248/32"
    set group address "Untrust" "Intrusion Protection 2" comment "2nd list of 32"
    set group address "Untrust" "Intrusion Protection 2" add "117.131.214.53/32"
    set group address "Untrust" "Intrusion Protection 2" add "121.40.167.158/32"
    set group address "Untrust" "Intrusion Protection 2" add "122.225.243.194/32"
    set group address "Untrust" "Intrusion Protection 2" add "182.171.246.59/32"
    set group address "Untrust" "Intrusion Protection 2" add "199.103.62.185/32"
    set group address "Untrust" "Intrusion Protection 2" add "200.76.60.143/32"
    set group address "Untrust" "Intrusion Protection 2" add "203.157.232.3/32"
    set group address "Untrust" "Intrusion Protection 2" add "207.226.141.42"
    set group address "Untrust" "Intrusion Protection 2" add "216.218.206.67/32"
    set group address "Untrust" "Intrusion Protection 2" add "27.38.41.129/32"
    set group address "Untrust" "Intrusion Protection 2" add "42.62.18.223/32"
    set group address "Untrust" "Intrusion Protection 2" add "43.229.52.0/24"
    set group address "Untrust" "Intrusion Protection 2" add "43.229.52.135/32"
    set group address "Untrust" "Intrusion Protection 2" add "43.229.53.1/24"
    set group address "Untrust" "Intrusion Protection 2" add "43.255.190.172/29"
    set group address "Untrust" "Intrusion Protection 2" add "46.234.125.75/32"
    set group address "Untrust" "Intrusion Protection 2" add "54.232.229.64/32"
    set group address "Untrust" "Intrusion Protection 2" add "58.218.213.208/32"
    set group address "Untrust" "Intrusion Protection 2" add "61.158.163.126/32"
    set group address "Untrust" "Intrusion Protection 2" add "80.82.78.2/32"
    set group address "Untrust" "Intrusion Protection 2" add "91.189.77.202/32"
    set group address "Untrust" "Intrusion Protection 2" add "94.102.50.56/32"

     

    set policy id 111 name "Hack-Block" from "Untrust" to "DMZ"  "Intrusion Protection" "Any" "ANY" deny log
    set policy id 111
    set src-address "Intrusion Protection 2"
    set log session-init


    #SSG20
    #AddressGroups


  • 2.  RE: Using address Groups in Policy to deny unwanted traffic

    Posted 10-08-2015 09:29

    Do you happen to have any kind of inbound NAT (MIP/VIP) you are using?  If so, you would need to configure the policy from those groups to the MIP address.



  • 3.  RE: Using address Groups in Policy to deny unwanted traffic

    Posted 10-08-2015 11:11

    The public facing devices are MIPs.  But wouldn't the "any" cover those?  or do I have to create a "group" with the MIPs and reference them that way?



  • 4.  RE: Using address Groups in Policy to deny unwanted traffic
    Best Answer

    Posted 10-08-2015 13:00

    You would need to specify the MIP address in a policy.  MIP policies are global policies, which is why the traffic is failing to use the zone to zone policy.



  • 5.  RE: Using address Groups in Policy to deny unwanted traffic

    Posted 10-08-2015 13:04

    I was concentrating on why the source addresses wouldn't take.  I just read about what you said.   Although I can't get the MIPs in a group, I have the "suspect" ips group. 

    Just a thought though ....Is there an easier way to go about what I am doing?



  • 6.  RE: Using address Groups in Policy to deny unwanted traffic

    Posted 10-08-2015 13:08

    You could create a negate MIP policy.  It would pretty much state "any except these."



  • 7.  RE: Using address Groups in Policy to deny unwanted traffic

    Posted 10-09-2015 14:50

     thanks for the help.