Junos OS

Hi all,

we have several MX240's with JUNOS 9.3R2.8. One MX has been reporting  the following:

Sep 20 11:53:55  MX240-02 inetd[4805]: /usr/sbin/sshd[84403]: exited, status 255

Sep 20 11:53:58  MX240-02 sshd: unrecognized attribute in Access-Reject: 18

Sep 20 11:53:58  MX240-02 sshd[84405]: Failed password for walter from 202.99.82.69 port 25750 ssh2

Sep 20 11:53:58  MX240-02 inetd[4805]: /usr/sbin/sshd[84405]: exited, status 255

Sep 20 11:54:01  MX240-02 sshd: unrecognized attribute in Access-Reject: 18

Sep 20 11:54:01  MX240-02 sshd[84407]: Failed password for walter from 202.99.82.69 port 36031 ssh2

Sep 20 11:54:02  MX240-02 inetd[4805]: /usr/sbin/sshd[84407]: exited, status 255

It appears that someone is performing an SSH dictionary attack on the MX.

The MX is configured with routing-instances/vrf's and a logical-system. The router and the logical-system both have protect-RE firewall filters (which don't permit 202.99.82.69) so we are confused as to how a dictionary attack can be performed, or even how the attacker can get a login prompt.

Is there any debugging which can be enabled to identify which interface and/or router/vrf/logical-system the SSH attack is coming in on?

Also are there any known security holes in JUNOS SSH which would allow an attacker to bypass the protect-RE?

Thanks in advance,

Chris

Hello there,

I think this might be the case:

If you configure Filter A on the default loopback interface but do not configure a filter on the VRF loopback interface, the VRF routing instance does not use a filter.

http://www.juniper.net/techpubs/en_US/junos10.3/topics/usage-guidelines/vpns-configuring-logical-units-on-the-loopback-interface-for-routing-instances-in-layer-3-vpns.html

So lo0.0 filter and LR lo0.X filter won't protect the RE if SSH attack comes from inside VRF.

HTH

Regards

Alex

Alex,

I think you have "hit the nail on the head".

I've checked from inside of one of the VRFs and I can SSH to our MX. So I suspect that's where my issue is coming from.

Thank you.

Chris