SRX

 View Only
last person joined: 19 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Tried applying policy for blocking specific IPs, but so far no success

    Posted 09-27-2022 12:58
    I tried applying policy for blocking specific IPs, but so far no success.

    Under security policies:

    from-zone Untrust to-zone ArtDept policy blockIP match source-address badIP1
    from-zone Untrust to-zone ArtDept policy blockIP match source-address badIP2
    from-zone Untrust to-zone ArtDept policy blockIP match destination-address any
    from-zone Untrust to-zone ArtDept policy blockIP match application any
    from-zone Untrust to-zone ArtDept policy blockIP then reject

    I populated global address book with the two IPs in focus, but when I checked my logs again, I see the same entries repeated:

    SSHD_LOGIN_FAILED: Login failed for user 'bob' from host 'X.X.X.1'
    SSHD_LOGIN_FAILED: Login failed for user 'pi' from host 'X.X.X.2'

    What am I missing?


  • 2.  RE: Tried applying policy for blocking specific IPs, but so far no success

    Posted 09-27-2022 13:01
    Hi,

    security policy is for transit interface not for srx itself. To limit certain ip that can ssh to srx u need firewall filter.


    Thanks


  • 3.  RE: Tried applying policy for blocking specific IPs, but so far no success

    Posted 09-27-2022 13:49
    Hi kronicklez,

    Thank you for your reply!

    I already have ssh filter in place, ssh connection limit, backoff threshold, retry options backoff/lockout and tries before disconnect as well.
    However, I still see this in my logs:

    SSHD_LOGIN_FAILED: Login failed for user 'bob' from host 'X.X.X.1'
    SSHD_LOGIN_FAILED: Login failed for user 'pi' from host 'X.X.X.2'

    Looks like a brute-force attack.
    I guess it's expected?



  • 4.  RE: Tried applying policy for blocking specific IPs, but so far no success

    Posted 09-28-2022 01:56
    Hello,

    you can create firewall filters to allow only requeried traffic to mgmt
    https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/example/firewall-filter-stateless-example-trusted-source-block-telnet-and-ssh-access.html

    or you can use junos-host policies to limit traffic
    https://supportportal.juniper.net/s/article/SRX-Configuration-Example-How-to-limit-self-traffic-using-Security-Policies?language=en_US

    Balázs

    ------------------------------
    Balázs Bajmóczi
    ------------------------------