Ethernet Switching
Reply
Contributor
Totem
Posts: 15
Registered: ‎02-09-2010
0
Accepted Solution

EX4200 security problem. How to protect particular interface?

[ Edited ]

Hi everyone!

There is a EX4200 switch with interface ge-0/0/1.0 configured as 1.1.1.146/30. This interface is connected to the Internet.

 

user1@EX4200# show interfaces ge-0/0/1.0  
family inet {
    filter {
        input DENY_EXT;
    }
    address 1.1.1.146/30;
}

 

 


 

 

If I issue a command "show log messages", I can see attempts to login over SSH, like this one:

 

user1@EX4200> show log messages 
Nov 30 10:37:15  EX4200 sshd[18479]: Failed password for root from 212.156.122.94 port 45928 ssh2
Nov 30 10:37:15  EX4200 inetd[703]: /usr/sbin/sshd[18479]: exited, status 255

 

To prevent these login attempts I've applied the filter.

As I do not need to ssh from the Internet, I've closed all TCP/UDP ports for incoming connections:

user1@EX4200# show firewall 
family inet {
    filter DENY_EXT {
        term DENY_EXTERNAL {
            from {
                source-address {
                    0.0.0.0/0;
                }
                destination-address {
                    1.1.1.146/32;
                }
            }
            then {
                discard;
            }
        }
        term DEFAULT {
            then accept;
        }
    }
}

 

So, this filter should discard the traffic sourced from any host and destined to itself, and pass other traffic.

 

But the problem is that I still can see those login attepmts!!


Question 1: How it could be possible when ALL ports are closed by the filter?

Question 2: Is it possible to turn off services like SSH on the particular interface (in my case ge-0/0/1.0)?


Maybe there is another way to solve this problem - I would appreciate any advice!

Thank you!

 

 

 

Super Contributor
B2
Posts: 172
Registered: ‎05-06-2010
0

Re: EX4200 security problem. How to protect particular interface?

Hello Totem, if you are looking to secure management access to the switch, you should create a filter, allowing some access of course so you can manage the box, and apply it to the loopback interface.  When you apply a filter to the loopback, this protects the routining engine, which basically means all traffic that is destined for the switch itself.  I can provide an example if you like.

Contributor
Totem
Posts: 15
Registered: ‎02-09-2010
0

Re: EX4200 security problem. How to protect particular interface?

[ Edited ]

B2, thank you for the answer!

Yes, I would like to see an example!

 

Regarding the Question 1 - any ideas?

Recognized Expert
traceoptions
Posts: 152
Registered: ‎04-29-2008
0

Re: EX4200 security problem. How to protect particular interface?

[ Edited ]

I would see if your firewall filter is getting hits on the term you are using.  You can check this by doing a "show firewall". 

 

Here is an example that may work for you.  Don't specifically add the 0.0.0.0/0 for the source.  Its implied if you don't specific a source. And add the protocol and port of what you are trying to block. 

 

set firewall filter deny-ext term deny-external from destination-address 1.1.1.146/32

set firewall filter deny-ext term deny-external protocol tcp

set firewall filter deny-ext term deny-external destination-port ssh

set firewall filter deny-ext term deny-external then discard

set firewall filter deny-ext term default then accept

 

Screenie has an excellent example on how to restrict certain management ports and not to block production transit traffic. 

 

http://forums.juniper.net/t5/Configuration-Library/Configuration-Example-permited-IP-on-SRX/td-p/583...

 

JNCIE-ENT #424 JNCIP-SEC, JNCI @traceoptions

**If this worked for you please flag my post as an Accepted Solution so others can benefit.**
Contributor
Totem
Posts: 15
Registered: ‎02-09-2010
0

Re: EX4200 security problem. How to protect particular interface?

Shadow, thank you for the answer!

The example filter you've provided was the first I've tried...

It only discards packets with the destination port ssh(TCP 22). But in the "show log messages output" we can see not only port 22, but random ports!

 

Here is the example:

Nov  30 05:32:21  EX4200 sshd[19614]: Failed password for root from 78.129.227.211 port 35617 ssh2
Nov  30 05:32:21  EX4200 inetd[703]: /usr/sbin/sshd[19614]: exited, status 255 

 

That's why I've closed all ports - both TCP and UDP!

As far as I understand, the  term...

 

set firewall filter deny-ext term deny-external from destination-address 1.1.1.146/32

set firewall filter deny-ext term deny-external then discard

 

...blocks all traffic destined to 1.1.1.146/32 no matter what destination port or protocol is!

Is it right?

 

In the Screenie's example I can see the filter is applied to the loopback interface lo0...

Maybe I should apply my filter to lo0 instead of ge-0/0/1.0?

 

 

 

Super Contributor
B2
Posts: 172
Registered: ‎05-06-2010
0

Re: EX4200 security problem. How to protect particular interface?

Totem, the log message you showed with port 35617, that's the source port of the connection, so it is ephemeral, the target port will be 22.  If you want to protect management access to your box, you definitely should use the loopback interface, but DO NOT use a firewall filter that blocks all UDP and TCP traffic or you won't be able to manage your device remotely.  Here is an example of only allowing SSH access to your device (it doesn't matter what local IP on your device you connect to, it will protect all of them) from one specific network:

 

    filter REMOTE {
        term ACCEPT_REMOTE {
            from {
                source-address {
                   10.0.0.0/24;
                }
                protocol tcp;
                destination-port ssh;
            }
            then accept;
        }

       term DENY_REMOTE {

            from{

                destination-port ssh;

           }

        then {

            discard;

         }

    }

}

 

then apply it to the loopback:

 

set interface lo0 unit 0 family inet filter input REMOTE

 

Then only ssh connections from the 10.0.0.0/24 network will be accepted.  I'm not sure why the filter you are using now isn't seeming to block anything, I'll take a closer look at it.

 

 

Contributor
Totem
Posts: 15
Registered: ‎02-09-2010
0

Re: EX4200 security problem. How to protect particular interface?

B2, thank you for the example!

I'll try to apply it and watch if it works.

 

There is one vore question - is it possible to turn off the desired service(s) on the particular interface?

I mean - not just applying the filter, but administratively turn off the desired service(s)!

 

For example - I want the SSH service to run only  on the vme.0 interface. Is it possible?

it  would be nice to see the corresponding configuration examples! 

Recognized Expert
JNPRdhanks
Posts: 301
Registered: ‎11-01-2010
0

Re: EX4200 security problem. How to protect particular interface?

Technical question aside, it's generally considered best practice to use a security device when connecting to the outside - as these devices have more options and flexibility in dealing with these sort of problems.  I think an SRX would be a great fit here.

Doug Hanks
JNCIE-ENT #213, JNCIE-SP #875

Follow me on Twitter @douglashanksjr
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.