Junos OS

Hello,

We have a Juniper EX3300 setup (Virtual Chassis-2) as our edge router before the firewall.  Right now it is getting pounded with SSH login attemps.  I was hoping to block the SSH traffic and possibly disable the root account.  Any help would be appritiated with my questions.

What I have so far:

set firewall family inet filter ALLOWED-SSH term SSH from source-prefix-list ALLOWED-HOSTS
set firewall family inet filter ALLOWED-SSH term SSH from port ssh
set firewall family inet filter ALLOWED-SSH term SSH then accept
set firewall family inet filter ALLOWED-SSH term BLOCK-SSH from port ssh
set firewall family inet filter ALLOWED-SSH term BLOCK-SSH then discard
set firewall family inet filter ALLOWED-SSH term ACCEPT-ALL then accept

set policy-options prefix-list ALLOWED-HOSTS 10.0.0.0/8 "local IPs"
set policy-options prefix-list ALLOWED-HOSTS 12.34.56.78/32 "The firewall outside IP

Switch config:

set interfaces lo0 unit 0 family inet address 127.0.0.1/32
set interfaces vlan unit 60 family inet address 12.34.56.79/30 "What I use for SSH management"

My first question is where does the filer go in this setup?

set interfaces lo0 unit 0 family inet filter input ALLOWED-SSH 

-or-
set interfaces vlan unit 60 family inet filter input ALLOWED-SSH 

Any advice on the root account question?  Good idea or can it backfire badly?

Thanks for any help,

Todd

Hi,

Considering it is the edge before the firewall you might consider applying a inbound firewall filter on the edge interface as well as securing the control plane. Apply your filter on the loopback interface, you might also consider locking it down further for better protection but make sure you permit all protocols required for your network 🙂

If you can always make the last term an accept with log and gradually add new terms above permitting the "good" traffic and eventually change the last term to deny when you are satisfied. 

Personally I never permit root login via ssh/telnet on a production device.

One note with securing the control plane, if another loopback unit is created on the device without the firewall filter then the device is not totally secure. You can use apply groups to avoid this occuring;

groups {
    protect-re {
        interfaces {
            lo0 {
                unit 0 {
                    family inet {
                        filter {
                            input ALLOWED-SSH;
                        }
                    }
                }
            }
        }
    }
}
apply-groups protect-re;

Tim

Hi Tim,

to achieve the goal you have described, the protect-re firewall filter must be modified to "unit <*>" instead of "unit 0".

Cheers,

Carsten

Sorry yes, my typo. 🙂

OK, here is an odd impact.  I put the following commands into a router in our wide area network.

set system services ssh root-login deny
set system services ssh protocol-version v2

set policy-options prefix-list ALLOWED-HOSTS 10.0.0.0/8
set firewall family inet filter ALLOWED-SSH term SSH from source-prefix-list ALLOWED-HOSTS
set firewall family inet filter ALLOWED-SSH term SSH from port ssh
set firewall family inet filter ALLOWED-SSH term SSH then accept
set firewall family inet filter ALLOWED-SSH term BLOCK-SSH from port ssh
set firewall family inet filter ALLOWED-SSH term BLOCK-SSH then discard
set firewall family inet filter ALLOWED-SSH term ACCEPT-ALL then accept

set interfaces lo0 unit 0 family inet filter input ALLOWED-SSH

The idea was to prevent Guest network access from 192 address systems conneccting to ssh.  There are no routes but just in case it sounded like a good idea.  The strang thing is that BOOTP relay stopped working for the voice network.  See some of my config options below.

set interfaces lo0 unit 0 family inet address 127.0.0.1/32
set interfaces vlan unit 7 family inet address 10.7.20.1/24
set interfaces vlan unit 8 family inet address 192.168.10.1/24
set interfaces vlan unit 20 family inet address 10.20.0.1/16

set forwarding-options helpers bootp server 10.10.10.1
set forwarding-options helpers bootp interface vlan.10
set forwarding-options helpers bootp interface vlan.7

set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members SITE1-LAN
set ethernet-switching-options voip interface ge-0/0/0.0 vlan VoIP
set ethernet-switching-options voip interface ge-0/0/0.0 forwarding-class expedited-forwarding

set vlans SITE1-LAN vlan-id 20
set vlans SITE1-LAN l3-interface vlan.20
set vlans VoIP vlan-id 7
set vlans VoIP l3-interface vlan.7
set vlans GUEST-LAN vlan-id 8

set vlans GUEST-LAN l3-interface vlan.8

If we static map a IP phone it can't even ping the 10.10.10.1 dhcp server.  Oddly it can ping the remote switch where that dhcp server is attached.  The solution to getting DHCP for the phones to work was run the following:

delete interfaces lo0 unit 0 family inet filter input ALLOWED-SSH

The phones came right up after that.

Any ideas,

Todd

Hi,

I do not see an issue with the config, however it is best to be as speciic as possible with the filters. At the moment you are matching anything port 22... udp and tcp src or dst. 

So we know that it is tcp and dst port 22 so I would adjust the terms to be more specific and also log any of the terms with discard so you can confirm what is being dropped. As the device is performing bootp function it is likely the traffic was dropped by the RE.

I recently hit a bug with a filter not being specific enough and it actually dropped other traffic.

Tim

OK, so replace:

set firewall family inet filter ALLOWED-SSH term SSH from port ssh

with:

set firewall family inet filter ALLOWED-SSH term SSH from destination-port ssh protocol tcp

I will try and report back next week.  Don't think I should try this right before I leave.

Thanks,

Todd

set firewall family inet filter ALLOWED-SSH term SSH from destination-port ssh
set firewall family inet filter ALLOWED-SSH term SSH from protocol tcp
set firewall family inet filter ALLOWED-SSH term BLOCK-SSH from destination-port ssh
set firewall family inet filter ALLOWED-SSH term BLOCK-SSH from protocol tcp
set firewall family inet filter ALLOWED-SSH term BLOCK-SSH then log

Yes good idea not to make changes right before you leave 😉

Tim

Thanks Tim,

That solved the problem.

On a side note, the log option does not work on either the EX4200, EX3200, or EX2200 I tested on.  Otherwise, the config works great.

Thanks again,

Todd

Forgot to post my finished code, in case someone else needs it.

set policy-options prefix-list ALLOWED-HOSTS 10.0.0.0/8

set firewall family inet filter ALLOWED-SSH term SSH from source-prefix-list ALLOWED-HOSTS

set firewall family inet filter ALLOWED-SSH term SSH from destination-port ssh
set firewall family inet filter ALLOWED-SSH term SSH from protocol tcp
set firewall family inet filter ALLOWED-SSH term SSH then accept

set firewall family inet filter ALLOWED-SSH term BLOCK-SSH from destination-port ssh
set firewall family inet filter ALLOWED-SSH term BLOCK-SSH from protocol tcp
set firewall family inet filter ALLOWED-SSH term BLOCK-SSH then discard

set firewall family inet filter ALLOWED-SSH term ACCEPT-ALL then accept

set interfaces lo0 unit 0 family inet filter input ALLOWED-SSH

-Todd

You can disable root for ssh and this would be a good idea in your situation.

http://www.juniper.net/documentation/en_US/junos12.2/topics/task/configuration/ssh-services-configuring.html

By default, users are allowed to log in to the router or switch as root through SSH. To control user access through SSH, include the root-login statement at the [edit systems services ssh] hierarchy level:

allow—Allows users to log in to the router or switch as root through SSH. The default is allow.

deny—Disables users from logging in to the router or switch as root through SSH.

deny-password—Allows users to log in to the router or switch as root through SSH when the authentication method (for example, RSA) does not require a password.