Junos OS

Hi guys,

I have a short question.

Can I block an unauthorized SNMP community like this:

SNMPD_AUTH_FAILURE: nsa_log_community: unauthorized SNMP community from 10.54.10.250 to 255.255.255.255 (public)

This entry are allwas in my log and so i must scroll to see the important entrys.

THX

Hi,

U want filter that log or u want do firewall filter from attempt your device?

Thanks

You can write match rules to prevent certain logs like this from writing to file or sending to syslog.  This kb outlines the process.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB9382

Hi,

i do not know realy whht is the better way for me.

I think it is better to make a FW Filter to block this unauthorized community, what do think about it?

When i make a filter then are my lop clean for the important messages.

Hi Thomas,

I'd suggest you to create a firewall filter and bind this to the lo0 interface. This is also called a control plane protection filter. You can find some help inside this Juniper day one book:

https://www.juniper.net/documentation/en_US/day-one-books/TW_HardeningJunosDevices_2ndEd.zip

The whole book is important, but if you just want to protect the Routing Engine, then you can start directly at page 111.

However, I'd really suggest you to read the whole book and make appropriate changes.

Hi,

thanks for the book, i would read it.

Can you make me an example for my ipadresse so I can better understand what the book mean...

This example is just for securing SNMP. Please note that this single filter is not enough, as it would discard ALL other traffic (SSH, RADIUS, Routing Protocols, ...) and make you device dead, so you need to adapt your RE protection with the help of the mentioned book.

set snmp community "<your SNMP community>" authorization read-only

set snmp community "<your SNMP community>" clients <the IP address which is allowed to query your Router>

set policy-options prefix-list snmp-servers apply-path "snmp community <*> clients <*>"

set firewall family inet filter protect-re term allow-snmp from source-prefix-list snmp-servers

set firewall family inet filter protect-re term allow-snmp from protocol udp

set firewall family inet filter protect-re term allow-snmp from destination-port snmp

set firewall family inet filter protect-re term allow-snmp then accept

set firewall family inet filter protect-re term default-deny then discard

Good morning guys,

I have read the book and it is very good for my company.

In chapter 2 I want to set set my system port console log-out-on-disconnect.

By my MX960 I can do it.

By  my other MX 80 and Mx 104 i can only disable the ports and not by disconnect, why.

The Version is 17.R4

Hello Thomas,

Some platforms do not support this "log-out-on-disconnect" command, as the internal chip which handles this behavior is on some platforms too old or not designed for this.

At least for MX80 this is true:

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/console-edit-system-ports.html

"The log-out-on-disconnect option is not operational on MX80 routers. On MX80 routers you must manually log out from the console with the request system logout u0 command."