SRX

last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  sshd : SSHD_LOGIN_FAILED

    Posted 08-19-2015 13:46

    SRX-240, I was looking at the var/log/messages.

    This goes on for many tries, seems like Hong Kong is very busy trying to access our box.

     

    The 

     


    Aug 19 16:39:31 CORPVPN01 sshd: SSHD_LOGIN_ATTEMPTS_THRESHOLD: Threshold for unsuccessful authentication attempts (3) reached by user 'root'
    Aug 19 16:39:31 CORPVPN01 sshd[2713]: Disconnecting: Too many password failures for root [preauth]
    Aug 19 16:39:31 CORPVPN01 sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '43.229.53.79'
    Aug 19 16:39:31 CORPVPN01 sshd[2721]: Failed password for root from 43.229.53.79 port 35649 ssh2
    Aug 19 16:39:32 CORPVPN01 sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '218.65.30.61'
    Aug 19 16:39:32 CORPVPN01 sshd[2719]: Failed password for root from 218.65.30.61 port 42938 ssh2



  • 2.  RE: sshd : SSHD_LOGIN_FAILED

    Posted 08-20-2015 05:27

    Hi, starlog

    I see this often, you can off root-login for ssh and use only users login



  • 3.  RE: sshd : SSHD_LOGIN_FAILED

    Posted 08-20-2015 05:33

    Hello,

    The below should discourage all but most determined bruteforcers:

     

    system {
    services {
        ssh {
            root-login deny;
            rate-limit 2;
        }
    }
    login {
        retry-options {
            tries-before-disconnect 2;
            backoff-threshold 3;
            backoff-factor 5;
            maximum-time 20;
        }
    }
}

    If tweaking the above, make sure You don't accidentlaly lock out Yourself for too long, i.e. don't raise "maximum-time" too high.

    HTH

    Thanks

    Alex



  • 4.  RE: sshd : SSHD_LOGIN_FAILED
    Best Answer

    Posted 08-20-2015 06:25

    The usual brute force password...

     

    I'm waiting for the crack a password of 30 characters. Smiley Very Happy

     

    show log messages.0.gz | match SSHD_LOGIN_FAILED | count
    Count: 2762 lines

     

    Use a simply filter:

     

    set firewall family inet filter local_acl term terminal_access from address 192.168.1.0/24
set firewall family inet filter local_acl term terminal_access from protocol tcp
set firewall family inet filter local_acl term terminal_access from port ssh
set firewall family inet filter local_acl term terminal_access from port telnet
set firewall family inet filter local_acl term terminal_access then accept
set firewall family inet filter local_acl term terminal_access_denied from protocol tcp
set firewall family inet filter local_acl term terminal_access_denied from port ssh
set firewall family inet filter local_acl term terminal_access_denied from port telnet
set firewall family inet filter local_acl term terminal_access_denied then log
set firewall family inet filter local_acl term terminal_access_denied then reject
set firewall family inet filter local_acl term default-term then accept
set interfaces lo0 unit 0 family inet filter input local_acl
set interfaces lo0 unit 0 family inet address 127.0.0.1/32

    Or http://kb.juniper.net/InfoCenter/index?page=content&id=KB21265&actp=RSS&smlogin=true

    It is the best way!