SRX Services Gateway
Highlighted
SRX Services Gateway

Juniper ports scan

‎02-20-2020 02:47 AM

We have number of SRX routers that have flagged up issues with port scan was done via nmap. Number of TCP and UDP ports were showing as open so I would like to know what ports out of box come open on these SRXs. Is there any command to check which ports are open (not which services are using ports) out of box when these SRX's are intiially configured. Rather than using : show system connections | no-more which lists services opening ports?

 

Secondly we tried below template to lock them down however still ports like ntp, snmp are showing as allowed. I know we only allowed ssh for a specific IPs but what would be the best approach to lock these units down to specific ssh port only. Also we use BGP on these units too so will TCP 179 needs unblocking too.

 

 

set firewall family inet filter local_inbound term allow_admin_ssh from source-prefix-list admin_ssh_clients
set firewall family inet filter local_inbound term allow_admin_ssh from protocol tcp
set firewall family inet filter local_inbound term allow_admin_ssh from destination-port 22

 

set interfaces lo0 unit 0 family inet filter input local_inbound

 

set policy-options prefix-list admin_ssh_clients out office IP/32
set policy-options prefix-list admin_ssh_clients CPE WAN IP range /31

 

set firewall family inet filter local_inbound term block_other_telnet from protocol tcp
set firewall family inet filter local_inbound term block_other_telnet from destination-port 23
set firewall family inet filter local_inbound term block_other_telnet then discard
set firewall family inet filter local_inbound term allow_admin_ssh from source-prefix-list admin_ssh_clients
set firewall family inet filter local_inbound term allow_admin_ssh from protocol tcp
set firewall family inet filter local_inbound term allow_admin_ssh from destination-port 22
set firewall family inet filter local_inbound term block_other_ssh from protocol tcp
set firewall family inet filter local_inbound term block_other_ssh from destination-port 22
set firewall family inet filter local_inbound term block_other_ssh then discard
set firewall family inet filter local_inbound term accept then accept

 

Nmap port scan has flagged up following with TCP scan but we know number of UDP ports are also OPEN.

 

Not shown: 64737 filtered ports, 794 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1 (protocol 2.0)
| ssh-hostkey:

179/tcp open bgp (connection rejected)
2000/tcp open cisco-sccp?
5060/tcp open tcpwrapped

 

 

 

 

5 REPLIES 5
Highlighted
SRX Services Gateway

Re: Juniper ports scan

‎02-20-2020 03:07 AM

Check out the free Juniper book Hardening Junos Devices.

 

https://www.juniper.net/documentation/en_US/day-one-books/TW_HardeningJunosDevices_2ndEd.zip

 

This walks through how to setup the restrictions you are looking for.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: Juniper ports scan

‎02-20-2020 03:26 AM

Thanks for your reply.

 

Are you saying we will have to individually close these ports by writing number of commands for each service? will this not be a lengthly and time consuming process?

SRX Services Gateway

Re: Juniper ports scan

‎02-20-2020 06:33 AM

Simon,

 

I dont think there is a command for confirming the open ports but this you have already performed with the port scan test anyways.

Note the firewall filters have an implicit deny action at the end of the term-chain so you only need to specify the ports and the addresses you want to allow, the rest will be blocked by default:

 

https://www.juniper.net/documentation/en_US/junos/topics/concept/firewall-filter-ex-series-evaluatio...

 

Hope this helps you.

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
Highlighted
SRX Services Gateway

Re: Juniper ports scan

‎02-21-2020 02:02 AM

Hello

 

The box has no port listening by default if you do not activate the feature (ssh, https, BGP, ospf...) and flag it on the zone or interface.

Examples :

set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ae1.1 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ae1.1 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ae1.1 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ae1.1 host-inbound-traffic system-services snmp
set security zones security-zone untrust interfaces ae1.1 host-inbound-traffic system-services snmp-trap

 

If you scan devices behind the firewall then this is the normal behavior with feature TCP SYN flood screening protection activated.

The port is NOT really opened. The traffic does not cross the firewall.

 

If too much TCP SYN are received on the SRX to the same destination, the SRX begins to act as a proxy by answering with SYN-ACK.

See figure : https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-network-dos-attack.html#...

 

Then it wait to receive the final ACK from the source. If it is not received then it might be a SYN flood attack.

 

Please verify your settings :  show security screen ids-option <screen-name>

You can also see if match occured : show security screen statistics zone <zone>

 

Regards

Highlighted
SRX Services Gateway

Re: Juniper ports scan

‎03-31-2020 01:44 PM

 Hi Simon

 

Were you able to resolve the situation?

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
Feedback