There is no mechanism in JunOS to change the port number of SSH protocol, hence possibilities are that in a situation like this; one may receive a large number of brute force attacks on port 22. Even then we have a mechanism to stop such attempts by the below-known methods.
Create a filter to be applied to the loopback interface to stop SSH logins from public-facing Internet router. First thing is to list the trusted IP addresses that will be allowed to access the device and then create prefix-list under policy-options.
[edit policy-options]
root@SRX240# edit prefix-list Trusted_IP_Address
[edit policy-options prefix-list Trusted_IP_Address]
root@SRX240# set 111.11.1.1/32
[edit policy-options prefix-list Trusted_IP_Address]
root@SRX240# set 22.2.2.2/32
[edit policy-options prefix-list Trusted_IP_Address]
root@SRX240# set 33.3.3.3/32
Next is to create a firewall filter. We will create a firewall filter named sshFilter. The first term name will be Trusted_SSH_Login that will hold trusted IP addresses.
[edit firewall family inet filter sshFilter]
root@SRX240# edit term Trusted_SSH_Login
[edit firewall family inet filter sshFilter term Trusted_SSH_Login]
root@SRX240# set from source-prefix-list Trusted_IP_Address except
[edit firewall family inet filter sshFilter term Trusted_SSH_Login]
root@SRX240# set from protocol tcp
[edit firewall family inet filter sshFilter term Trusted_SSH_Login]
root@SRX240# set from destination-port ssh
[edit firewall family inet filter sshFilter term Trusted_SSH_Login]
root@SRX240# set then discard
Now, don’t forget to add one last term to allow everything else unless you want to lock yourself out.
[edit firewall family inet filter sshFilter term Allow_Everything_Else]
root@SRX240# set then accept
You can view the firewall filter by typing “show” command under [edit firewall family inet filter sshFilter] hierarchy,
[edit firewall family inet filter sshFilter]
root@SRX210# show
term Trusted_SSH_Login {
from {
source-prefix-list {
Trusted_IP_Address except;
}
protocol tcp;
destination-port ssh;
}
then discard;
}
}
term Allow_Everything_Else{
then accept;
}
Now apply the firewall filter to loopback (lo0) interface in inbound direction.
[edit]
root@SRX210# set interfaces lo0 unit 0 family inet filter input sshFilter
Firewall filters will block the attack at the very edge level. In JunOS the packet is first analyzed by filters and sent to other paths in the packet flow process.
---------------------------------------------------------------------------------------------------------------------------------
There is another way to control login attempts in Juniper devices which is by limiting the number of failed attempts and some threshold parameters. This configuration is applied to all user’s attempting to login. The configuration is done in [edit system login retry-options] hierarchy.
[edit system login retry-options]
user@host# set tries-before-disconnect 10 {This is the no. of times that a user is allowed to try password}
user@host# set backoff-threshold 2 {This is no. of password failures before delay is in effect}
user@host# set backoff-factor 5 {After backoff-threshold is in effect the user is blocked for 5 seconds}
user@host# set minimum-time 20 {As user gets prompt to enter user/pass, he/she has 20 seconds to enter it}
--------------------------------------------------------------------------------------------------------------------------------
Accept as Solution = cool ! (Will help other community members with similar queries to be redirected here)
Accept as Solution+Kudo = You are a Star !
--------------------------------------------------------------------------------------------------------------------------------
//Nex