Junos OS

last person joined: 14 hours ago 

Ask questions and share experiences about Junos OS.

  • 1.  Getting failed login attempts from syslog

    Posted 03-16-2017 18:17

    Hello all, 

     

    I am looking for some direction in tracking failed login attempts via syslog.  I am getting some events to my syslog server, but I am looking specifically to be able to audit failed login attempts.  I am using SRX 220 running [12.3X48-D40.5].

     

    Here is my current syslog config:

     

    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        host 192.168.1.2 {
            any any;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
        file traffic-log {
            any any;
            match RT_FLOW_SESSION;
        }
        file default-log-messages {
            any info;
            match "(requested 'commit' operation)|(copying configuration to juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|transitioned|Transferred|transfer-file|(license add)|(license delete)|(package -X update)|(package -X delete)|(FRU Online)|(FRU Offline)|(plugged in)|(unplugged)|GRES";
            structured-data;
        }
        log-rotate-frequency 15;
    }

     Thank you



  • 2.  RE: Getting failed login attempts from syslog

     
    Posted 03-16-2017 18:53

    set system syslog file login-attempts authorization any  ====> To get all login attempts

     

    Add below match condition to get only failed login attempts.


    set system syslog file login-attempts match "(login_failed  | login_pam_authentication_error | login_pam_error  | login_timed_out  | sshd_login_failed)”

     

     

    Below config to send these logs to syslog server.

     

    set system syslog host x.x.x.x authorization any
    set system syslog host x.x.x.x match "(login_failed  | login_pam_authentication_error | login_pam_error  | login_timed_out  | sshd_login_failed)"

     

     

    ref: https://kb.juniper.net/KB23652  How to generate SNMP traps for login authentication failures



  • 3.  RE: Getting failed login attempts from syslog

     
    Posted 03-16-2017 22:02

    Hi Folks,

    To add to above data; please find these data more usefull with SRX boxes,

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB28968

    [SRX] How to block Telnet and SSH Brute Force log-in attacks


    SUMMARY:
    How to prevent log-in (username & password) attacks on an SRX, especially attacks such as Brute Force attacks, which involve systematically checking all possible keys until the correct key is found for accessing the device.

    SYMPTOMS:
    Malicious users sometimes try to log into a secure device by guessing an authorized user's account password. The goal is to protect a device from malicious users by locking out a user account after a number of failed authentication attempts.

    SOLUTION:
    Junos provides multiple options for blocking Telnet and SSH Brute Force log-in attacks on SRX devices.

    Creating a Log-In Attempt Limit

    To help prevent Brute Force attacks, set an attempt limit for users to make a mistake in entering their username or password. If the user exceeds the log-in limit, the system will either lock him out or prevent any future log-in attempts for a set amount of time.

    Set the following options according to your requirements and commit the changes:

    root@SRX# set system login retry-options backoff-threshold ?
    Possible completions:
    <backoff-threshold> Number of password failures before delay is introduced (1..3)
    root@SRX# set backoff-threshold 3

    root@SRX# set system login retry-options backoff-factor ?
    Possible completions:
    <backoff-factor> Delay factor after 'backoff-threshold' password failures
    root@SRX# set backoff-factor 10

    root@SRX# root@SRX# set system login retry-options tries-before-disconnect ?
    Possible completions:
    <tries-before-disconnect> Number of times user is allowed to try password (1..10)
    root@SRX# set tries-before-disconnect 5

    root@SRX# set system login retry-options lockout-period ?
    Possible completions:
    <lockout-period> Amount of time user account is locked after 'tries-before-disconnect' failures
    root@SRX# set system login retry-options lockout-period 4

    backoff-threshold: Sets the threshold for the number of failed log-in attempts on the device before the user experiences a delay when attempting to re-enter a password. When a user incorrectly logs into the device and hits the threshold of failed log-in attempts, the user experiences a delay (set in the backoff-factor statement) before he can attempt to log into the device again. The valid range for this option is 1 to 3 attempts.

    backoff-factor: Sets the length of the delay, in seconds, after each failed log-in attempt. When a user incorrectly logs into the device, the user must wait the configured amount of time before he can attempt to log into the device again. The length of the delay increases by the backoff-factor value for each subsequent log-in attempted after the value specified in the backoff-threshold statement is reached. The valid range for this option is 5 to 10 seconds.

    tries-before-disconnect: Sets the maximum number of times the user is allowed to enter a password in an attempt to log into the device through SSH or Telnet. When the user reaches the maximum number of failed log-in attempts, he is locked out of the device. The user must wait the configured amount of minutes in the lockout-period statement before he can attempt to log back into the device. The tries-before-disconnect statement must be set when the lockout-period statement is set; otherwise, the lockout-period statement is meaningless. The valid value for this option is 1 to 10 attempts.

    lockout-period: Sets the amount of time, in minutes, that the user must wait before he can attempt to log into the device after being locked out due to the number of failed log-in attempts specified in the tries-before-disconnect statement. The lockout-period must be greater than zero. The valid range for this option range is 1 to 43,200 minutes.


    https://www.juniper.net/techpubs/en_US/junos/topics/example/authentication-login-attempts-ssh-telnet-sessions-limiting.html

    Example: Limiting the Number of Login Attempts for SSH and Telnet Sessions to Prevent Unauthorized Access

    Limiting the number of SSH and Telnet login attempts per user is one of the most effective methods of stopping brute force attacks from compromising your network security. Brute force attackers execute a large number of login attempts in a short period of time to illegitimately gain access to a private network. By configuring the retry-options command, you can create an increasing delay after each failed login attempt, eventually disconnecting any user who passes your set threshold of login attempts.

    The following example shows how to limit the user to four attempts when the user enters a password while logging in through SSH or Telnet. Set the backoff-threshold to 2, the back-off-factor to 5 seconds, and the minimum-time to 40 seconds. The user experiences a delay of 5 seconds after the second attempt to enter a correct password fails. After each subsequent failed attempt, the delay increases by 5 seconds. After the fourth and final failed attempt to enter a correct password, the user experiences an additional 10-second delay, and the connection closes after a total of 40 seconds.

    The additional variables maximum-time and lockout-period are not set in this example.

    [edit]
    system {
    login {
    retry-options {
    backoff-threshold 2;
    backoff-factor 5;
    minimum-time 40;
    tries-before-disconnect 4;
    }
    password {
    }
    }
    }