Screen OS

Hi,

I'm seeing some unauthorized login attempts into my SSG5, as per below. Any way to block them?

Do I need to use policy Untrust to Trust and block the IPs? But they're not even accessing my Trust zone, thus I'm a bit confused here. Or should I create a Untrust to Untrust policy, if there's such thing. 😞

Thank you.

Hi,

You have two ways how to solve this:

a) Completely set the untrust interface unmanageable:

unset interface ethX/X manageable

unset interface ethX/X manage ssh / telnet / web / ssl / snmp

b) restrict the access to wanted IP's only

set admin manager-ip ip.ip.ip.ip mask.mask.mask.mask

If you go with the option b, remember to add LAN IP's aswell!

Hi Tero,

I need to have remote access to the SSG5 via Untrust interface, but I won't be able to confirm on WAN IP list. Possible to only block access, instead of adding permit to wanted IPs?

Regards,

Danny

Apart from that, I'm seeing some VPN error message as per below too. Possible to block the IP from establishing a connection with my SSG5?

For management purpose you can change the default ports for telnet/ssh

In that way only you would know on which port the firewall will respond to management:

set admin telnet port <port num>

set admin ssh port <port>

set ssl port <Port>  ----- https access

set admin port <port>   ------- http access

And for the VPN messages we can't do much however nothing to worry about as the firewall will drop the unwanted VPN requests.

Regards

Sarab

===========================================================

Pls click the button "Accept as Solution" if my post helped to solve your problem

Hi Sarab,

I guess no other choice than setting the access ports.. As for VPN, glad to get confirmation on that. Only thing will be annoyed by the logs. 🙂

Thanks for sharing.

What comes to your first question, I dont think that's possible. I would use manager-ip with wide enough netmask. For example allow your ISP's whole network so it doesnt matter if you have dynamic IP or always use some termination point to connect to your device if possible. There's always options like changing username or port where SSH listens or even null route IP's but those are kind of hacks instead of fixing the problem if you ask me.

What comes to VPN let's start with the question is that a legit VPN peer? Should it be able to establish a IPSEC-tunnel with your device? If so, can you share your configuration with us.

Hi Tero,

Thanks for your suggestion and for the VPN, definitely not a legit VPN peer. As Sarab confirmed, no way to block them, but should be no issue as the traffic will be dropped. Only problem is the logs will be full with those errors.

Hi,

For logs you can refer the following KB to exclude them from appearing

http://kb.juniper.net/KB25914

Hi Sarab,

Thanks for the recommendations.