The post Block SSH Login Attack in Juniper SRX appeared first on MustBeGeek.
In JUNOS, the default port number for SSH protocol is 22. As of this writing, Juniper recommended version for Junos OS is 11.4R5.5 for SRX100 to SRX 240 and SRX650 model. Up to now there is no functionality of Junos to change default SSH port number. Since default port number 22 is the only option for SSH login, the SRX device gets maximum brute force attacks on port 22. Even though we can’t change the default port number of SSH, we can secure the device to block SSH login attack in Juniper SRX devices. The attack constantly tries random username and password. The attack creates unnecessary processing and increases log file size. Today I will show you how to secure your SRX box from SSH brute force attack.
Block SSH Login Attack in Juniper SRX
We will create a filter and apply it to loopback interface. This filter will block brute force attack on SSH port.
At first list the trusted IP addresses that will be allowed to access the device and then create prefix-list under policy-options.
[edit policy-options] root@SRX240# edit prefix-list Trusted_IP_Address [edit policy-options prefix-list Trusted_IP_Address] root@SRX240# set 111.11.1.1/32 [edit policy-options prefix-list Trusted_IP_Address] root@SRX240# set 22.2.2.2/32 [edit policy-options prefix-list Trusted_IP_Address] root@SRX240# set 33.3.3.3/32Now create firewall filter. We will create filter named sshFilter. The first term name will be Trusted_SSH_Login that will hold trusted IP addresses.
[edit firewall family inet filter sshFilter]root@SRX240# edit term Trusted_SSH_Login
[edit firewall family inet filter sshFilter term Trusted_SSH_Login]
root@SRX240# set from source-prefix-list Trusted_IP_Address except
[edit firewall family inet filter sshFilter term Trusted_SSH_Login]
root@SRX240# set from protocol tcp
[edit firewall family inet filter sshFilter term Trusted_SSH_Login]
root@SRX240# set from destination-port ssh
[edit firewall family inet filter sshFilter term Trusted_SSH_Login]
root@SRX240# set then discard
Now don’t forget the final term to allow everything else. If you forget this term then you will find yourself locked.
[edit firewall family inet filter sshFilter term Allow_Everything_Else] root@SRX240# set then acceptYou can view the firewall filter by typing show under [edit firewall family inet filter sshFilter] hierarchy,
[edit firewall family inet filter sshFilter] root@SRX210# show term Trusted_SSH_Login { from { source-prefix-list { Trusted_IP_Address except; } protocol tcp; destination-port ssh; } then discard; } } term Allow_Everything_Else{ then accept; }Now apply the firewall filter in loopback (lo0) interface in inbound or input direction.
[edit] root@SRX210# set interfaces lo0 unit 0 family inet filter input sshFilterFirewall filters will block attack at the very edge level. In JunOS the packet is first analyze by filters and sent to other path in packet flow process.
There is another way to control login attempts in Juniper devices. The other way is by limiting the number of failed attempts and some threshold parameters. This configuration is applied to all users login in the device. The configuration is done in [edit system login retry-options] hierarchy.
[edit system login retry-options] user@host# set tries-before-disconnect 10 {This is the no. of times that a user is allowed to try password}user@host# set backoff-threshold 2 {This is no. of password failures before delay is in effect}
user@host# set backoff-factor 5 {After backoff-threshold is in effect the user is blocked for 5 seconds}
user@host# set minimum-time 20 {As user gets prompt to enter user/pass, he/she has 20 seconds to enter it}
The post Block SSH Login Attack in Juniper SRX appeared first on MustBeGeek.