Switching

last person joined: 3 days ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.
  • 1.  EX4200 security problem. How to protect particular interface?

    Posted 11-30-2010 01:53

    Hi everyone!

    There is a EX4200 switch with interface ge-0/0/1.0 configured as 1.1.1.146/30. This interface is connected to the Internet.

     

    user1@EX4200# show interfaces ge-0/0/1.0  
    family inet {
        filter {
            input DENY_EXT;
        }
        address 1.1.1.146/30;
    }

     

     


     

     

    If I issue a command "show log messages", I can see attempts to login over SSH, like this one:

     

    user1@EX4200> show log messages 
    Nov 30 10:37:15  EX4200 sshd[18479]: Failed password for root from 212.156.122.94 port 45928 ssh2
    Nov 30 10:37:15  EX4200 inetd[703]: /usr/sbin/sshd[18479]: exited, status 255

     

    To prevent these login attempts I've applied the filter.

    As I do not need to ssh from the Internet, I've closed all TCP/UDP ports for incoming connections:

    user1@EX4200# show firewall 
    family inet {
        filter DENY_EXT {
            term DENY_EXTERNAL {
                from {
                    source-address {
                        0.0.0.0/0;
                    }
                    destination-address {
                        1.1.1.146/32;
                    }
                }
                then {
                    discard;
                }
            }
            term DEFAULT {
                then accept;
            }
        }
    }

     

    So, this filter should discard the traffic sourced from any host and destined to itself, and pass other traffic.

     

    But the problem is that I still can see those login attepmts!!


    Question 1: How it could be possible when ALL ports are closed by the filter?

    Question 2: Is it possible to turn off services like SSH on the particular interface (in my case ge-0/0/1.0)?


    Maybe there is another way to solve this problem - I would appreciate any advice!

    Thank you!

     

     

     



  • 2.  RE: EX4200 security problem. How to protect particular interface?

    Posted 11-30-2010 06:42

    Hello Totem, if you are looking to secure management access to the switch, you should create a filter, allowing some access of course so you can manage the box, and apply it to the loopback interface.  When you apply a filter to the loopback, this protects the routining engine, which basically means all traffic that is destined for the switch itself.  I can provide an example if you like.



  • 3.  RE: EX4200 security problem. How to protect particular interface?

    Posted 11-30-2010 22:25

    B2, thank you for the answer!

    Yes, I would like to see an example!

     

    Regarding the Question 1 - any ideas?



  • 4.  RE: EX4200 security problem. How to protect particular interface?

    Posted 12-02-2010 21:41

    I would see if your firewall filter is getting hits on the term you are using.  You can check this by doing a "show firewall". 

     

    Here is an example that may work for you.  Don't specifically add the 0.0.0.0/0 for the source.  Its implied if you don't specific a source. And add the protocol and port of what you are trying to block. 

     

    set firewall filter deny-ext term deny-external from destination-address 1.1.1.146/32

    set firewall filter deny-ext term deny-external protocol tcp

    set firewall filter deny-ext term deny-external destination-port ssh

    set firewall filter deny-ext term deny-external then discard

    set firewall filter deny-ext term default then accept

     

    Screenie has an excellent example on how to restrict certain management ports and not to block production transit traffic. 

     

    http://forums.juniper.net/t5/Configuration-Library/Configuration-Example-permited-IP-on-SRX/td-p/58392

     



  • 5.  RE: EX4200 security problem. How to protect particular interface?

    Posted 12-03-2010 01:32

    Shadow, thank you for the answer!

    The example filter you've provided was the first I've tried...

    It only discards packets with the destination port ssh(TCP 22). But in the "show log messages output" we can see not only port 22, but random ports!

     

    Here is the example:

    Nov  30 05:32:21  EX4200 sshd[19614]: Failed password for root from 78.129.227.211 port 35617 ssh2
    Nov  30 05:32:21  EX4200 inetd[703]: /usr/sbin/sshd[19614]: exited, status 255 

     

    That's why I've closed all ports - both TCP and UDP!

    As far as I understand, the  term...

     

    set firewall filter deny-ext term deny-external from destination-address 1.1.1.146/32

    set firewall filter deny-ext term deny-external then discard

     

    ...blocks all traffic destined to 1.1.1.146/32 no matter what destination port or protocol is!

    Is it right?

     

    In the Screenie's example I can see the filter is applied to the loopback interface lo0...

    Maybe I should apply my filter to lo0 instead of ge-0/0/1.0?

     

     

     



  • 6.  RE: EX4200 security problem. How to protect particular interface?
    Best Answer

    Posted 12-03-2010 05:46

    Totem, the log message you showed with port 35617, that's the source port of the connection, so it is ephemeral, the target port will be 22.  If you want to protect management access to your box, you definitely should use the loopback interface, but DO NOT use a firewall filter that blocks all UDP and TCP traffic or you won't be able to manage your device remotely.  Here is an example of only allowing SSH access to your device (it doesn't matter what local IP on your device you connect to, it will protect all of them) from one specific network:

     

        filter REMOTE {
            term ACCEPT_REMOTE {
                from {
                    source-address {
                       10.0.0.0/24;
                    }
                    protocol tcp;
                    destination-port ssh;
                }
                then accept;
            }

           term DENY_REMOTE {

                from{

                    destination-port ssh;

               }

            then {

                discard;

             }

        }

    }

     

    then apply it to the loopback:

     

    set interface lo0 unit 0 family inet filter input REMOTE

     

    Then only ssh connections from the 10.0.0.0/24 network will be accepted.  I'm not sure why the filter you are using now isn't seeming to block anything, I'll take a closer look at it.

     

     



  • 7.  RE: EX4200 security problem. How to protect particular interface?

    Posted 12-05-2010 22:41

    B2, thank you for the example!

    I'll try to apply it and watch if it works.

     

    There is one vore question - is it possible to turn off the desired service(s) on the particular interface?

    I mean - not just applying the filter, but administratively turn off the desired service(s)!

     

    For example - I want the SSH service to run only  on the vme.0 interface. Is it possible?

    it  would be nice to see the corresponding configuration examples! 



  • 8.  RE: EX4200 security problem. How to protect particular interface?

    Posted 12-07-2010 10:50

    Technical question aside, it's generally considered best practice to use a security device when connecting to the outside - as these devices have more options and flexibility in dealing with these sort of problems.  I think an SRX would be a great fit here.