Shulou(Shulou.com)06/01 Report--

Many customers' firewalls have been Hack experience, especially Netscreen devices, the initial login information is netscreen/netscreen.

The default login user on SRX is root, and there will also be many people sniffing SSH on the device. If you set syslog, in cli

It's easy to see the following message when you show log message. Now let's introduce several basic protections against SSH.

1. Restrict normal SSH login

2. Release or reject the SSH of a specific source-destination address on the loopback port

3. Change the default login port of SSH.

Nov 11 23:05:01 TB-RD-FW-P newsyslog [44691]: logfile turned over due to size > 100K

Nov 11 23:05:06 TB-RD-FW-P sshd [44685]: Received disconnect from 61.143.139.10: 11: Bye Bye [preauth]

Nov 11 23:05:07 TB-RD-FW-P sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host' 61.143.139.10'

Nov 11 23:05:07 TB-RD-FW-P sshd [44693]: Failed password for root from 61.143.139.10 port 35569 ssh3

Nov 11 23:05:12 TB-RD-FW-P sshd [44693]: Received disconnect from 61.143.139.10: 11: Bye Bye [preauth]

Nov 11 23:05:13 TB-RD-FW-P sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host' 61.143.139.10'

Nov 11 23:05:13 TB-RD-FW-P sshd [44696]: Failed password for root from 61.143.139.10 port 39821 ssh3

Nov 11 23:05:19 TB-RD-FW-P sshd [44696]: Received disconnect from 61.143.139.10: 11: Bye Bye [preauth]

Nov 11 23:05:20 TB-RD-FW-P sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host' 61.143.139.10'

Nov 11 23:05:20 TB-RD-FW-P sshd [44698]: Failed password for root from 61.143.139.10 port 44476 ssh3

Let's talk about the first one, which is simple and effective. The basic configuration is as follows:

Set system services ssh root-login deny > deny login to root user

Set system services ssh connection-limit 3 > the number of session logged in simultaneously is 3

Set system services ssh rate-limit 3 > attempts per minute is 3

Set system login retry-options minimum-time 30 > logon failure wait time

Set system login retry-options maximum-time 100 > wait time for the device when logging in

Set system login retry-options lockout-period 30 > lockout time

The loopback port of Junos has several functions. Cisco is generally used as a router-id for dynamic routing, and it can also be used as an interface for data layer and control layer in Juniper.

When we enable protect on the loopback port, we can effectively defend against NTP,SSH and so on.

The basic configuration is as follows:

Set interfaces lo0 unit 0 family inet filter input RE-protection

Set firewall family inet filter RE-protection term alw-ssh from source-address 172.16.255.0/24

Set firewall family inet filter RE-protection term alw-ssh from source-address 10.200.255.0/24

Set firewall family inet filter RE-protection term alw-ssh from protocol tcp

Set firewall family inet filter RE-protection term alw-ssh from port ssh

Set firewall family inet filter RE-protection term alw-ssh then accept

Set firewall family inet filter RE-protection term deny-ssh from protocol tcp

Set firewall family inet filter RE-protection term deny-ssh from port ssh

Set firewall family inet filter RE-protection term deny-ssh then count ssh-deny

Set firewall family inet filter RE-protection term deny-ssh then log

Set firewall family inet filter RE-protection term deny-ssh then discard

Set firewall family inet filter RE-protection term alw-ntp from source-address 10.200.254.0/24

Set firewall family inet filter RE-protection term alw-ntp from protocol tcp

Set firewall family inet filter RE-protection term alw-ntp from port ntp

Set firewall family inet filter RE-protection term alw-ntp then accept

Set firewall family inet filter RE-protection term deny-ntp from protocol tcp

Set firewall family inet filter RE-protection term deny-ntp from port ntp

Set firewall family inet filter RE-protection term deny-ntp then count deny-ntp

Set firewall family inet filter RE-protection term deny-ntp then log

Set firewall family inet filter RE-protection term deny-ntp then discard

Set firewall family inet filter RE-protection term else-all then accept

The effect is as follows

Root# run show firewall log

Log:

Time Filter Action Interface Protocol Src Addr Dest Addr

10:18:14 pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100

10:18:11 pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100

10:18:08 pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100

10:18:02 pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100

10:17:59 pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100

The third way is to redirect SSH's port, as mentioned in the previous NAT practical tips:

From this part of the configuration, we can see that lo0.0 has released ssh and host-inbound-traffic,ge-0/0/0.0 rejects it by default.

Set interfaces lo0 unit 0 family inet address 10.220.1.254/32

Set security zones security-zone trust address-book address lo-ssh 10.220.1.254/32

Set security zones security-zone trust interfaces lo0.0 host-inbound-traffic system-services ssh

Set interfaces ge-0/0/0 unit 0 family inet address 10.101.5.100/24

Set security zones security-zone untrust interfaces ge-0/0/0.0

Now is the basic nat configuration:

Set security nat destination pool lo-ssh address 10.220.1.254/32

Set security nat destination pool lo-ssh address port 22

Set security nat destination rule-set 001 from zone untrust

Another way is to use dynamic * * to log in through IPSec.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.