Hi all,
we have several MX240's with JUNOS 9.3R2.8. One MX has been reporting the following:
Sep 20 11:53:54 MX240-02 sshd[84403]: Failed password for tony from 202.99.82.69 port 53343 ssh2
Sep 20 11:53:55 MX240-02 inetd[4805]: /usr/sbin/sshd[84403]: exited, status 255
Sep 20 11:53:58 MX240-02 sshd: unrecognized attribute in Access-Reject: 18
Sep 20 11:53:58 MX240-02 sshd[84405]: Failed password for walter from 202.99.82.69 port 25750 ssh2
Sep 20 11:53:58 MX240-02 inetd[4805]: /usr/sbin/sshd[84405]: exited, status 255
Sep 20 11:54:01 MX240-02 sshd: unrecognized attribute in Access-Reject: 18
Sep 20 11:54:01 MX240-02 sshd[84407]: Failed password for walter from 202.99.82.69 port 36031 ssh2
Sep 20 11:54:02 MX240-02 inetd[4805]: /usr/sbin/sshd[84407]: exited, status 255
It appears that someone is performing an SSH dictionary attack on the MX.
The MX is configured with routing-instances/vrf's and a logical-system. The router and the logical-system both have protect-RE firewall filters (which don't permit 202.99.82.69) so we are confused as to how a dictionary attack can be performed, or even how the attacker can get a login prompt.
Is there any debugging which can be enabled to identify which interface and/or router/vrf/logical-system the SSH attack is coming in on?
Also are there any known security holes in JUNOS SSH which would allow an attacker to bypass the protect-RE?
Thanks in advance,
Chris