Junos OS

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about Junos OS.
  • 1.  SRX 345 Firewall Filter to Stop Brute Force SSH Abuse

    Posted 05-05-2022 05:38
    We have a couple of SRX345's as Internet routers, that are being bombed with SSH login attempts.  We have root-deny configured, and the old login attempt retry-options commands, but the hits keep on coming and fill the logs.  I've tried this filter, but it doesnt seem to work.  What am I missing:

    set policy-options prefix-list ALLOWED-HOSTS 1.2.3.1/32
    set policy-options prefix-list ALLOWED-HOSTS 2.2.3.1/32
    set policy-options prefix-list ALLOWED-HOSTS 3.2.3.100/32
    set firewall family inet filter ALLOWED-SSH term SSH from source-prefix-list ALLOWED-HOSTS except
    set firewall family inet filter ALLOWED-SSH term SSH from destination-port ssh
    set firewall family inet filter ALLOWED-SSH term SSH from protocol tcp
    set firewall family inet filter ALLOWED-SSH term SSH then accept
    set firewall family inet filter ALLOWED-SSH term BLOCK-SSH from destination-port ssh
    set firewall family inet filter ALLOWED-SSH term BLOCK-SSH from protocol tcp
    set firewall family inet filter ALLOWED-SSH term BLOCK-SSH then discard
    set firewall family inet filter ALLOWED-SSH term ACCEPT-ALL then accept
    set interfaces lo0 unit 0 family inet filter input ALLOWED-SSH

    Thanks


  • 2.  RE: SRX 345 Firewall Filter to Stop Brute Force SSH Abuse

     
    Posted 05-05-2022 09:57
    You''re negating the allowed hosts list with the except keyword and letting the opposite through. You want 'set firewall family inet filter ALLOWED-SSH term SSH from source-prefix-list ALLOWED-HOSTS'


  • 3.  RE: SRX 345 Firewall Filter to Stop Brute Force SSH Abuse

    Posted 05-06-2022 08:24
    Hi ,

    Try this config

    set policy-options prefix-list ALLOWED-HOSTS 1.2.3.1/32
    set policy-options prefix-list ALLOWED-HOSTS 2.2.3.1/32
    set policy-options prefix-list ALLOWED-HOSTS 3.2.3.100/32

    set firewall family inet filter ALLOWED-SSH term SSH from source-prefix-list ALLOWED-HOSTS
    set firewall family inet filter ALLOWED-SSH term SSH from destination-port ssh
    set firewall family inet filter ALLOWED-SSH term SSH from protocol tcp
    set firewall family inet filter ALLOWED-SSH term SSH then policer RE-HIGH-POLICER
    set firewall family inet filter ALLOWED-SSH term SSH then count ssh-traffic
    set firewall family inet filter ALLOWED-SSH term SSH then accept

    set firewall policer RE-HIGH-POLICER if-exceeding bandwidth-limit 20m
    set firewall policer RE-HIGH-POLICER if-exceeding burst-size-limit 256k
    set firewall policer RE-HIGH-POLICER then discard


    set interfaces lo0 unit 0 family inet filter input ALLOWED-SSH

    ------------------------------
    DEMNA IMAD
    ------------------------------