SRX

Hello,

Im hoping I can get some additional assitance on troubleshooting this ongoing issue I have been having on our Juniper SRX210h.  I am not a certified technican on these devices by any means but I can find my way around the web interface and am a network technician.  I do not have physical access to the device. I remote into the datacenter server and access the device via the gui.

The issue is the CPU usage hangs at 100% and it appears to be completely random and lasts for various amounts of time. When the CPU hangs at 100%, we have issues remote desktoping to our servers located at the datacenter. There is only 1 site-to-site VPN connection that this juniper handles and there are maximum 5 users on the network at all times. This device should maxed out by any means.  A simple reboot of the device temporarily resolves the issue for a random period of time, anywhere form a few hours to a few days.

Please see attachment.

Any ideas on where to determine the root cause of the high CPU usage?

Thank you !

Can you share below outputs from CLI.

root@SRX> show chassis routing-engine

root@SRX> show system processes extensive 

root@SRX> show system storage 

IF i remember correctly in version 11.1R1.10 was a bug that was causing high cpu when the box was getting a lot of traffic (ddos) or normal traffic

Yes, I noticed the firmware was way out of date. I have a scheuduled upgrade on that towards the end of the month.  Do you know if a firmware update of that difference of versions will retain configuration settings?

I have been trying to load the CLI from the web interface without any success.  I do not have console access to the device to perform these commands.  Is there another method I could go about to input these commands so I can relay the results to you?

Thank you!

---

@rsuraj wrote:

Can you share below outputs from CLI.

 

root@SRX> show chassis routing-engine

 

root@SRX> show system processes extensive 

 

root@SRX> show system storage 

---

I figured a way in 🙂 see below....

root@srx> show chassis routing-engine

Routing Engine status:

    Temperature                 54 degrees C / 129 degrees F

    Total memory              1024 MB Max   543 MB used ( 53 percent)

      Control plane memory     560 MB Max   336 MB used ( 60 percent)

      Data plane memory        464 MB Max   204 MB used ( 44 percent)

    CPU utilization:

      User                      20 percent

      Background                 0 percent

      Kernel                    76 percent

      Interrupt                  4 percent

      Idle                       0 percent

    Model                          RE-SRX210H

    Serial ID                      

    Start time                     2015-06-05 21:55:09 CDT

    Uptime                         3 days, 39 minutes, 28 seconds

    Last reboot reason             0x200:chassis control reset

    Load averages:                 1 minute   5 minute  15 minute

                                       2.01       2.02       2.00

__________________________________________________________________________

root@srx> show system processes extensive

last pid: 20520;  load averages:  2.33,  2.10,  2.03  up 3+00:41:40    22:36:18

130 processes: 20 running, 96 sleeping, 3 zombie, 11 waiting

Mem: 140M Active, 76M Inact, 530M Wired, 138M Cache, 112M Buf, 85M Free

Swap:

  PID USERNAME    THR PRI NICE   SIZE    RES STATE  C   TIME   WCPU COMMAND

 1100 root          5  76    0   499M 52556K RUN    0  85.2H 95.46% flowd_octeon_hm

 1086 root          1 139    0  3136K  2144K RUN    0  52.5H 75.15% ntpd

   23 root          1 -40 -159     0K    16K WAIT   0 129:50  0.00% swi2: net

   24 root          1 -20 -139     0K    16K RUN    0  74:42  0.00% swi7: clock

   22 root          1 171   52     0K    16K RUN    0  40:33  0.00% idle: cpu0

    5 root          1 -84    0     0K    16K rtfifo 0  20:41  0.00% rtfifo_kern_recv

 1126 root          1  76    0  8636K  3028K select 0  14:59  0.00% license-check

 1091 root          1  76    0 17072K  6660K select 0  13:43  0.00% l2ald

  866 root          1  76    0  7872K  2764K select 0  12:29  0.00% eventd

 1096 root          1  76    0  9476K  4092K select 0   7:36  0.00% ppmd

 1107 root          3  20    0 43500K 12336K sigwai 0   7:00  0.00% authd

 1093 root          2  76    0 21956K  7168K select 0   6:54  0.00% pfed

 1088 root          1  76    0 18860K 11568K select 0   5:48  0.00% snmpd

 1128 root          1   4    0 17932K 10568K kqread 0   5:13  0.00% eswd

 1080 root          1  76    0  3148K  1364K RUN    0   5:07  0.00% bslockd

 1122 root          1  76    0 14492K  6428K select 0   3:54  0.00% utmd

 1084 root          1  76    0  8688K  3212K select 0   3:51  0.00% alarmd

   21 root          1 171   52     0K    16K RUN    1   3:27  0.00% idle: cpu1

   45 root          1 -16    0     0K    16K psleep 0   3:12  0.00% vmkmemdaemon

 1130 nobody        4 109    0 10528K  4684K ucond  0   2:50  0.00% httpd

 1083 root          1  76    0 33280K 13996K select 0   2:34  0.00% chassisd

 1095 root          1  76    0 18304K  7292K select 0   2:16  0.00% kmd

 1121 root          1  76    0 11524K  4572K select 0   2:14  0.00% rtlogd

 1090 root          1   4    0 42760K 19016K kqread 0   2:12  0.00% rpd

 1124 root          3  76    0 12772K  4404K select 0   1:41  0.00% wland

 1098 root          1  76    0  7236K  2668K select 0   1:32  0.00% irsd

    4 root          1  -8    0     0K    16K -      0   1:29  0.00% g_down

   26 root          1 -16    0     0K    16K -      0   1:24  0.00% yarrow

    3 root          1  -8    0     0K    16K -      0   1:19  0.00% g_up

    2 root          1  -8    0     0K    16K -      0   1:17  0.00% g_event

 1082 root          1  76    0 28448K  6708K select 0   1:10  0.00% dcd

 1079 root          1  76    0  2124K   776K select 0   0:42  0.00% watchdog

   41 root          1  20    0     0K    16K syncer 0   0:40  0.00% syncer

   40 root          1  20    0     0K    16K vnlrum 0   0:39  0.00% vnlru_mem

 1120 root          1  76    0 11148K  3952K select 0   0:36  0.00% fwauthd

 1118 root          1  76    0 30116K  6684K select 0   0:36  0.00% idpd

 1089 root          1  76    0 18172K  8632K select 0   0:35  0.00% mib2d

 1125 root          1   4    0  8424K  3668K kqread 0   0:35  0.00% mcsnoopd

 1115 root          1  76    0 12340K  4144K select 0   0:33  0.00% pkid

   52 root          1  -8    0     0K    16K mdwait 0   0:30  0.00% md0

 1099 root          1  76    0 11016K  4328K select 0   0:27  0.00% bfdd

 1111 root          1  76    0 16828K  4692K select 0   0:26  0.00% smid

 1114 root          1  76    0 14124K  7688K select 0   0:22  0.00% nsd

 1105 root          1  76    0 13096K  4476K select 0   0:21  0.00% lacpd

 1085 root          1  76    0 11116K  3264K select 0   0:20  0.00% craftd

 1094 root          1  76    0 18872K  6248K select 0   0:19  0.00% cosd

 1113 root          1  76    0 11252K  4368K select 0   0:19  0.00% jsrpd

    9 root          1 171   52     0K    16K RUN    0   0:15  0.00% pagezero

   32 root          1   8    0     0K    16K dwcint 0   0:13  0.00% dwc0

 1116 root          1  76    0 10588K  4152K select 0   0:11  0.00% httpd-gk

   46 root          1 -16    0     0K    16K psleep 0   0:10  0.00% vmuncachedaemon

  936 root          1   8    0  2520K   836K nanslp 0   0:09  0.00% cron

   42 root          1 -16    0     0K    16K sdflus 0   0:08  0.00% softdepflush

 1087 root          1  76    0 51376K 32528K select 0   0:08  0.00% mgd

 1142 root          1   4    0     0K    16K peer_s 0   0:08  0.00% peer proxy

   38 root          1 -16    0     0K    16K psleep 0   0:07  0.00% bufdaemon

   39 root          1  -4    0     0K    16K vlruwt 0   0:07  0.00% vnlru

 1123 root          1  76    0  7560K  2400K select 0   0:04  0.00% smtpd

   29 root          1 -28 -147     0K    16K WAIT   0   0:04  0.00% swi5: cambio

 1097 root          1  76    0 14216K  5260K select 0   0:04  0.00% dfwd

  162 root          1  -8    0     0K    16K mdwait 0   0:03  0.00% md1

 1092 root          1  76    0  5584K  1812K select 0   0:02  0.00% inetd

20460 root          1  76    0  9916K  2928K select 0   0:02  0.00% sshd

20491 root          1  76    0 43304K 14352K select 0   0:02  0.00% cli

    8 root          1 -16    0     0K    16K psleep 0   0:02  0.00% pagedaemon

    1 root          1   8    0  1516K   808K wait   0   0:02  0.00% init

  846 root          1  76    0  2224K  1088K select 0   0:01  0.00% usbd

 1119 root          1  76    0 10328K  3820K select 0   0:01  0.00% nstraced

20492 root          1  76    0 51428K  5268K select 0   0:01  0.00% mgd

 1117 root          1  76    0 15700K  4336K select 0   0:01  0.00% appidd

 1110 root          2  94    0 10112K  3504K select 0   0:01  0.00% wwand

 1101 root          1 139    0  8572K  3448K select 0   0:01  0.00% dhcpd

 1102 root          1  76    0  8216K  3008K select 0   0:00  0.00% pppd

 1127 root          1  94    0  9476K  2696K select 0   0:00  0.00% sdxd

 1109 root          1  93    0 10276K  2876K select 0   0:00  0.00% sendd

 1020 root          1  -8    0     0K    16K mdwait 0   0:00  0.00% md3

20463 root          1  20    0  4908K  2952K pause  0   0:00  0.00% csh

 1112 root          1  94    0  7508K  2376K select 0   0:00  0.00% relayd

 1108 root          1  95    0  7928K  2420K select 0   0:00  0.00% mplsoamd

    6 root          1   8    0     0K    16K -      0   0:00  0.00% thread taskq

   33 root          1   8    0     0K    16K usbevt 0   0:00  0.00% usb0

 1081 root          1  85    0  2548K  1160K select 0   0:00  0.00% tnetd

 1129 root          1   5    0  2640K  1172K ttyin  0   0:00  0.00% getty

20520 root          1  78    0 24112K  1748K CPU0   0   0:00  0.00% top

 1011 root          1  -8    0     0K    16K mdwait 0   0:00  0.00% md2

   31 root          1 -48 -167     0K    16K WAIT   0   0:00  0.00% swi0: uart

    0 root          1  12    0     0K     0K WAIT   0   0:00  0.00% swapper

   47 root          1   4    0     0K    16K pfeacc 0   0:00  0.00% if_pfe_listen

   44 root          1   4    0     0K    16K pfeacc 0   0:00  0.00% if_pic_listen0

    7 root          1   8    0     0K    16K -      0   0:00  0.00% kqueue taskq

   50 root          1   8    0     0K    16K -      0   0:00  0.00% nfsiod 2

   48 root          1   8    0     0K    16K -      0   0:00  0.00% nfsiod 0

   43 root          1  76    0     0K    16K sleep  0   0:00  0.00% netdaemon

   51 root          1   8    0     0K    16K -      0   0:00  0.00% nfsiod 3

   49 root          1   8    0     0K    16K -      0   0:00  0.00% nfsiod 1

   34 root          1   8    0     0K    16K usbtsk 0   0:00  0.00% usbtask

   10 root          1 -16    0     0K    16K ktrace 0   0:00  0.00% ktrace

   27 root          1 -12 -131     0K    16K WAIT   0   0:00  0.00% swi9: +

   30 root          1 -12 -131     0K    16K WAIT   0   0:00  0.00% swi9: task queue

   28 root          1 -16 -135     0K    16K WAIT   0   0:00  0.00% swi8: +

   25 root          1 -24 -143     0K    16K WAIT   0   0:00  0.00% swi6: vm

   36 root          1 -32 -151     0K    16K WAIT   0   0:00  0.00% swi4: ip6mismatch+

   35 root          1 -36 -155     0K    16K WAIT   0   0:00  0.00% swi3: ip6opt ipopt

   37 root          1 -44 -163     0K    16K WAIT   0   0:00  0.00% swi1: ipfwd

   17 root          1 171   52     0K    16K CPU0   0   0:00  0.00% idle: cpu5

   16 root          1 171   52     0K    16K CPU0   0   0:00  0.00% idle: cpu6

   15 root          1 171   52     0K    16K CPU0   0   0:00  0.00% idle: cpu7

   20 root          1 171   52     0K    16K CPU0   0   0:00  0.00% idle: cpu2

   13 root          1 171   52     0K    16K CPU0   0   0:00  0.00% idle: cpu9

   12 root          1 171   52     0K    16K CPU0   0   0:00  0.00% idle: cpu10

   11 root          1 171   52     0K    16K CPU0   0   0:00  0.00% idle: cpu11

   14 root          1 171   52     0K    16K CPU0   0   0:00  0.00% idle: cpu8

   19 root          1 171   52     0K    16K CPU0   0   0:00  0.00% idle: cpu3

   18 root          1 171   52     0K    16K CPU0   0   0:00  0.00% idle: cpu4

_____________________________________________________________________________

root@srx> show system storage

Filesystem              Size       Used      Avail  Capacity   Mounted on

/dev/da0s2a             293M       140M       130M       52%  /

devfs                   1.0K       1.0K         0B      100%  /dev

/dev/md0                360M       360M         0B      100%  /junos

/cf                     293M       140M       130M       52%  /junos/cf

devfs                   1.0K       1.0K         0B      100%  /junos/dev/

procfs                  4.0K       4.0K         0B      100%  /proc

/dev/bo0s3e              24M        40K        22M        0%  /config

/dev/bo0s3f             342M        56M       259M       18%  /cf/var

/dev/md1                168M        16M       139M       10%  /mfs

/cf/var/jail            342M        56M       259M       18%  /jail/var

/cf/var/log             342M        56M       259M       18%  /jail/var/log

devfs                   1.0K       1.0K         0B      100%  /jail/dev

/dev/md2                 39M       4.0K        36M        0%  /mfs/var/run/utm

/dev/md3                1.8M       156K       1.5M        9%  /jail/mfs

NTP daemon looks high.  Wondering if the firewall is being hit with NTP amplification attack...

Can you try disabling NTP on the firewall and check again?

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10613

Regards,

Sam

Thank you for the reply. I glanced over the URL you provided. Going to try this today.

Does disabling the NTP service disconnect any services? I do not have physical access to the machine and just want to be certain I will still be able to access the Juniper once NTP is disabled.

I was checking the logs and noticed  a bunch of failed password attempts from 124.133.16.39 which is an overseas address. Im not an expert but it appears someone is brute force attacking trying different ports and passwords. See below.

What's the proper command to block or ignore all traffic from a specific ip address?  

Or possibly restricting bad password attempts and lockout policies?

____________________________________________________________________

root@srx> show log messages

Jun  7 20:01:03 srx newsyslog[14485]: logfile turned over due to size>100K

Jun  7 20:01:06  srx sshd[14482]: Disconnecting: Too many password failures for deploy

Jun  7 20:01:48  srx sshd[14487]: fatal: Read from socket failed: Connection reset by peer

Jun  7 20:01:59  srx sshd[14489]: Failed password for deploy from 124.133.16.39 port 61274 ssh2

Jun  7 20:02:00  srx sshd[14489]: Failed password for deploy from 124.133.16.39 port 61274 ssh2

Jun  7 20:02:06  srx sshd[14489]: Failed password for deploy from 124.133.16.39 port 61274 ssh2

Jun  7 20:02:22  srx sshd[14490]: Disconnecting: Too many password failures for deploy

Jun  7 20:03:05  srx sshd[14495]: fatal: Read from socket failed: Connection reset by peer

Jun  7 20:03:17  srx sshd[14499]: Failed password for deploy from 124.133.16.39 port 58660 ssh2

Jun  7 20:03:24  srx last message repeated 2 times

Jun  7 20:03:40  srx sshd[14500]: Disconnecting: Too many password failures for deploy

Jun  7 20:03:48  srx sshd[14502]: fatal: Read from socket failed: Connection reset by peer

Jun  7 20:04:27  srx sshd[14504]: fatal: Read from socket failed: Connection reset by peer

Jun  7 20:05:14  srx sshd[14509]: fatal: Read from socket failed: Connection reset by peer

Jun  7 20:05:58  srx sshd[14514]: fatal: Read from socket failed: Connection reset by peer

Jun  7 20:06:09  srx sshd[14515]: Failed password for vbox from 124.133.16.39 port 60793 ssh2

Jun  7 20:06:16  srx last message repeated 2 times

Jun  7 20:06:31  srx sshd[14519]: Disconnecting: Too many password failures for vbox

Jun  7 20:06:41  srx sshd[14520]: Failed password for vbox from 124.133.16.39 port 56749 ssh2

Jun  7 20:06:48  srx last message repeated 2 times

Jun  7 20:07:03  srx sshd[14521]: Disconnecting: Too many password failures for vbox

Jun  7 20:07:12  srx sshd[14525]: Failed password for vbox from 124.133.16.39 port 52706 ssh2

Jun  7 20:07:19  srx last message repeated 2 times

Jun  7 20:07:35  srx sshd[14526]: Disconnecting: Too many password failures for vbox

Jun  7 20:07:38  srx sshd[14527]: Could not write ident string to UNKNOWN

Jun  7 20:07:57  srx sshd[14528]: Failed password for vbox from 124.133.16.39 port 50219 ssh2

Jun  7 20:08:04  srx last message repeated 2 times

Jun  7 20:08:20  srx sshd[14529]: Disconnecting: Too many password failures for vbox

Jun  7 20:08:28  srx sshd[14533]: Failed password for vbox from 124.133.16.39 port 49879 ssh2

Jun  7 20:08:29  srx sshd[14533]: Failed password for vbox from 124.133.16.39 port 49879 ssh2

Jun  7 20:08:35  srx sshd[14533]: Failed password for vbox from 124.133.16.39 port 49879 ssh2

Jun  7 20:08:51  srx sshd[14534]: Disconnecting: Too many password failures for vbox

Jun  7 20:09:32  srx sshd[14536]: fatal: Read from socket failed: Connection reset by peer

Jun  7 20:09:49  srx sshd[14540]: Failed password for vbox from 124.133.16.39 port 62540 ssh2

Jun  7 20:09:56  srx last message repeated 2 times

Jun  7 20:10:12  srx sshd[14541]: Disconnecting: Too many password failures for vbox

Jun  7 20:10:21  srx sshd[14545]: Failed password for vbox from 124.133.16.39 port 60554 ssh2

Jun  7 20:10:28  srx last message repeated 2 times

Jun  7 20:10:43  srx sshd[14546]: Disconnecting: Too many password fail

After further scrolling down the logs i noticed its coming in from different IP address and different ports.  This appears to be a brute force attack.  

I came across this article: http://www.ebrahma.com/2015/01/block-ssh-login-attack-juniper-srx/

Seems like this would be the perfect solution but I was having a hard time follow the coding.

I then came across this article: https://kb.juniper.net/InfoCenter/index?page=content&id=KB28968&smlogin=true

Which suggested modifying the login retry-options. I was able to set tries-before-disconnect, backoff-threshold and backoff-factor but I do not se any option for lockout system-period.

_______________________________________________________________________________

root@srx# set system login retry-options ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
backoff-factor Delay factor after 'backoff-threshold' password failures (5..10)
backoff-threshold Number of password failures before delay is introduced (1..3)
maximum-time Maximum time the connection will remain for user to enter username and password
minimum-time Minimum total connection time if all attempts fail (20..60)
tries-before-disconnect Number of times user is allowed to try password (1..10)

Can someone please assist with a method of blocking these unauthorized login attemps from different ips address and desination ports?

________________________________

Jun 10 17:01:42  srx sshd[10823]: Failed password for ubnt from 49.236.204.180 port 9055 ssh2

Jun 10 17:01:43  srx sshd[10822]: Received disconnect from 210.61.150.155: 11: Bye Bye

Jun 10 17:01:52  srx sshd[10824]: Connection closed by 49.236.204.180

Jun 10 17:01:53  srx sshd[10825]: Failed password for root from 210.61.150.155 port 51395 ssh2

Jun 10 17:02:04  srx sshd[10828]: Received disconnect from 210.61.150.155: 11: Bye Bye

Jun 10 17:02:18  srx sshd[10832]: Failed password for root from 210.61.150.155 port 56101 ssh2

Jun 10 17:02:28  srx sshd[10833]: Received disconnect from 210.61.150.155: 11: Bye Bye

Jun 10 17:02:44  srx sshd[10836]: Failed password for root from 210.61.150.155 port 33051 ssh2

Jun 10 17:02:55  srx sshd[10839]: Received disconnect from 210.61.150.155: 11: Bye Bye

Jun 10 17:03:05  srx sshd[10842]: Failed password for root from 210.61.150.155 port 38804 ssh2

Jun 10 17:03:15  srx sshd[10843]: Received disconnect from 210.61.150.155: 11: Bye Bye

Jun 10 17:03:32  srx sshd[10848]: Received disconnect from 210.61.150.155: 11: Bye Bye

Jun 10 17:03:48  srx sshd[10860]: Failed password for root from 210.61.150.155 port 46893 ssh2

Jun 10 17:03:58  srx sshd[10861]: Received disconnect from 210.61.150.155: 11: Bye Bye

Jun 10 17:04:07  srx sshd[10834]: Accepted password for root from 10.10.0.8 port 2242 ssh2

Jun 10 17:04:15  srx sshd[10862]: Failed password for root from 210.61.150.155 port 52621 ssh2

Jun 10 17:04:25  srx sshd[10863]: Received disconnect from 210.61.150.155: 11: Bye Bye

Jun 10 17:04:41  srx sshd[10888]: Failed password for root from 210.61.150.155 port 58614 ssh2

You can build a firewall filter that you apply on the lo0 unit to protect ssh access towards the device.

In the example I have used prefix-lists to allow certain traffic from certain addresses to be allowed towards protocols on the RE of the device.

apply a filter to protect the device:

set interfaces lo0 unit 0 family inet filter input RE-protect

Prefix-list example:

set policy-options prefix-list Permit-ssh 10.0.0.1/32
set policy-options prefix-list Permit-ssh  213.x.x.x/32

Firewall config example:

You can easy remove parts from the example or replace them

set firewall filter RE-protect term TCP-established from protocol tcp
set firewall filter RE-protect term TCP-established from tcp-established
set firewall filter RE-protect term TCP-established then accept
set firewall filter RE-protect term SSH-allow from source-prefix-list Permit-ssh
set firewall filter RE-protect term SSH-allow from protocol udp
set firewall filter RE-protect term SSH-allow from protocol tcp
set firewall filter RE-protect term SSH-allow from port ssh
set firewall filter RE-protect term SSH-allow then accept

set firewall filter RE-protect term BGP-allow from source-prefix-list Permit-bgp
set firewall filter RE-protect term BGP-allow from protocol tcp
set firewall filter RE-protect term BGP-allow from destination-port bgp
set firewall filter RE-protect term BGP-allow then accept
deactivate firewall filter RE-protect term BGP-allow
set firewall filter RE-protect term ICMP-allow from protocol icmp
set firewall filter RE-protect term ICMP-allow from icmp-type echo-reply
set firewall filter RE-protect term ICMP-allow from icmp-type echo-request
set firewall filter RE-protect term ICMP-allow from icmp-type unreachable
set firewall filter RE-protect term ICMP-allow from icmp-type time-exceeded
set firewall filter RE-protect term ICMP-allow from icmp-code fragmentation-needed
set firewall filter RE-protect term ICMP-allow from icmp-code 0
set firewall filter RE-protect term ICMP-allow then policer RATE-small
set firewall filter RE-protect term ICMP-allow then accept
set firewall filter RE-protect term TRACE-allow from protocol udp
set firewall filter RE-protect term TRACE-allow from destination-port 33434-33523
set firewall filter RE-protect term TRACE-allow then policer RATE-small
set firewall filter RE-protect term TRACE-allow then accept
set firewall filter RE-protect term SNMP-allow from source-prefix-list Permit-snmp
set firewall filter RE-protect term SNMP-allow from protocol udp
set firewall filter RE-protect term SNMP-allow from destination-port snmp
set firewall filter RE-protect term SNMP-allow then policer RATE-large
set firewall filter RE-protect term SNMP-allow then accept
set firewall filter RE-protect term XNM-allow from source-prefix-list Permit-netblock
set firewall filter RE-protect term XNM-allow from protocol tcp
set firewall filter RE-protect term XNM-allow from destination-port 3220
set firewall filter RE-protect term XNM-allow from destination-port 3221
set firewall filter RE-protect term XNM-allow then policer RATE-large
set firewall filter RE-protect term XNM-allow then accept
deactivate firewall filter RE-protect term XNM-allow
set firewall filter RE-protect term NTP-allow from source-prefix-list Permit-ntp
set firewall filter RE-protect term NTP-allow from protocol udp
set firewall filter RE-protect term NTP-allow from source-port ntp
set firewall filter RE-protect term NTP-allow then policer RATE-small
set firewall filter RE-protect term NTP-allow then accept
set firewall filter RE-protect term DOMAIN-allow from source-prefix-list Permit-dns
set firewall filter RE-protect term DOMAIN-allow from protocol udp
set firewall filter RE-protect term DOMAIN-allow from source-port domain
set firewall filter RE-protect term DOMAIN-allow then policer RATE-small

set firewall filter RE-protect term DOMAIN-allow then accept
set firewall filter RE-protect term FTP-allow from source-prefix-list Permit-ssh
set firewall filter RE-protect term FTP-allow from protocol tcp
set firewall filter RE-protect term FTP-allow from destination-port 20
set firewall filter RE-protect term FTP-allow from destination-port 21
set firewall filter RE-protect term FTP-allow then accept
set firewall filter RE-protect term LOCAL-allow from source-address 127.0.0.1/32
set firewall filter RE-protect term LOCAL-allow from source-address lan.seg.ip.alloc/x
set firewall filter RE-protect term LOCAL-allow then accept
set firewall filter RE-protect term IPSEC-allow from source-address x.x.x.x/x
set firewall filter RE-protect term IPSEC-allow from protocol esp
set firewall filter RE-protect term IPSEC-allow from protocol ah
set firewall filter RE-protect term IPSEC-allow from protocol tcp
set firewall filter RE-protect term IPSEC-allow from protocol udp
set firewall filter RE-protect term IPSEC-allow then accept
set firewall filter RE-protect term pim-allow from protocol igmp
set firewall filter RE-protect term pim-allow from protocol pim
set firewall filter RE-protect term pim-allow then accept
set firewall filter RE-protect term HTTP-allow from source-prefix-list Permit-http
set firewall filter RE-protect term HTTP-allow from protocol udp
set firewall filter RE-protect term HTTP-allow from protocol tcp
set firewall filter RE-protect term HTTP-allow from port http
set firewall filter RE-protect term HTTP-allow then accept
set firewall filter RE-protect term DEFAULT-deny-everything-else then discard

Thank you so much MarcTB.  

I am very confident that a firewall rule restricting the ssh login will resolve this issue.  I am going to attempt to implement this today. I'm hoping all of the codes are available on our version of Juniper because when I attempted to restrict the login attempts, retry-options lockout-period was not available as an option (was introduced in Junos OS Release 11.2) These are the login retry options settings I configured which didnt seem to help:

retry-options {
tries-before-disconnect 2;
backoff-threshold 1;
backoff-factor 10;
minimum-time 60;

I was hoping I could set at least a 10min waiting time after the 2nd failed attempt but its not working. 

system login retry-options lockout-period is the setting I believe I need but is not available on our outdated software.

Anyways, I will update after I apply the firewall settings you recommended.

@samc

I followed the rules of the link to add a firewall rule for ntp and ntpd usage changed. After commiting and waiting about 10 minutes, CPU control returned to normal usage!

ast pid: 2797; load averages: 1.66, 2.30, 2.39 up 0+01:25:44 02:03:13
132 processes: 16 running, 103 sleeping, 1 zombie, 12 waiting

Mem: 164M Active, 76M Inact, 531M Wired, 134M Cache, 112M Buf, 64M Free
Swap:

PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND
1100 root 5 76 0 499M 54888K select 0 90:17 142.04% flowd_octeon_hm
22 root 1 171 52 0K 16K RUN 0 0:43 6.01% idle: cpu0
1086 root 1 76 0 3080K 2088K select 0 52:17 0.00% ntpd
23 root 1 -40 -159 0K 16K WAIT 0 3:35 0.00% swi2: net
21 root 1 171 52 0K 16K RUN 1 2:11 0.00% idle: cpu1
24 root 1 -20 -139 0K 16K WAIT 0 1:20 0.00% swi7: clock
1130 nobody 4 76 0 10488K 4704K ucond 0 0:50 0.00% httpd
52 root 1 -8 0 0K 16K mdwait 0 0:30 0.00% md0
866 root 1 76 0 7872K 2764K select 0 0:26 0.00% eventd
5 root 1 -84 0 0K 16K rtfifo 0 0:23 0.00% rtfifo_kern_recv
1126 root 1 76 0 8636K 3028K select 0 0:17 0.00% license-check
1091 root 1 76 0 17072K 6676K select 0 0:17 0.00% l2ald
1088 root 1 76 0 18812K 11644K select 0 0:16 0.00% snmpd
1105 root 3 20 0 43500K 12260K sigwai 0 0:10 0.00% authd
1093 root 2 76 0 21956K 7116K RUN 0 0:09 0.00% pfed
1096 root 1 76 0 8828K 3444K select 0 0:09 0.00% ppmd
1095 root 1 76 0 18328K 7364K select 0 0:07 0.00% kmd
1083 root 1 76 0 33280K 13984K select 0 0:07 0.00% chassisd
1122 root 1 76 0 14472K 6456K select 0 0:06 0.00% utmd
1128 root 1 4 0 17932K 10584K kqread 0 0:06 0.00% eswd
1080 root 1 76 0 3148K 1364K select 0 0:06 0.00% bslockd
3 root 1 -8 0 0K 16K - 0 0:06 0.00% g_up
1084 root 1 76 0 8680K 3200K select 0 0:05 0.00% alarmd
1089 root 1 76 0 18104K 8560K select 0 0:05 0.00% mib2d
4 root 1 -8 0 0K 16K - 0 0:04 0.00% g_down
1307 root 1 76 0 61172K 19836K select 0 0:04 0.00% mgd
1090 root 1 4 0 42760K 18952K kqread 0 0:04 0.00% rpd
1306 root 1 76 0 43328K 14456K select 0 0:04 0.00% cli
45 root 1 -16 0 0K 16K psleep 0 0:04 0.00% vmkmemdaemon
1116 root 1 76 0 10520K 4092K select 0 0:04 0.00% httpd-gk
1087 root 1 76 0 51376K 32536K select 0 0:03 0.00% mgd
1282 root 1 76 0 9820K 2812K select 0 0:03 0.00% sshd
1121 root 1 76 0 11584K 4556K select 0 0:03 0.00% rtlogd
1082 root 1 76 0 28448K 6740K select 0 0:03 0.00% dcd
1124 root 3 76 0 12760K 4420K select 0 0:03 0.00% wland
2338 root 1 76 0 58624K 19524K select 0 0:02 0.00% mgd
2337 root 1 76 0 43332K 14460K select 0 0:02 0.00% cli
1118 root 1 76 0 30120K 6772K select 0 0:02 0.00% idpd
1114 root 1 76 0 14212K 7744K select 0 0:02 0.00% nsd
1098 root 1 76 0 7236K 2668K select 0 0:02 0.00% irsd
32 root 1 8 0 0K 16K dwcint 0 0:02 0.00% dwc0
2284 root 1 76 0 9820K 2900K select 0 0:02 0.00% sshd
2 root 1 -8 0 0K 16K - 0 0:02 0.00% g_event
1111 root 1 76 0 16828K 4676K select 0 0:02 0.00% smid
9 root 1 171 52 0K 16K pgzero 0 0:02 0.00% pagezero
26 root 1 -16 0 0K 16K - 0 0:02 0.00% yarrow
1113 root 1 76 0 11252K 4368K select 0 0:02 0.00% jsrpd
1094 root 1 76 0 18876K 6240K select 0 0:01 0.00% cosd
1 root 1 8 0 1516K 808K wait 0 0:01 0.00% init
1097 root 1 76 0 14220K 5384K select 0 0:01 0.00% dfwd
1125 root 1 4 0 8424K 3772K kqread 0 0:01 0.00% mcsnoopd
1115 root 1 76 0 12340K 4192K select 0 0:01 0.00% pkid
1120 root 1 76 0 11148K 3932K select 0 0:01 0.00% fwauthd
1103 root 1 76 0 13096K 4468K select 0 0:01 0.00% lacpd
1099 root 1 76 0 11008K 4320K select 0 0:01 0.00% bfdd
41 root 1 20 0 0K 16K syncer 0 0:01 0.00% syncer
1085 root 1 76 0 11112K 3264K select 0 0:01 0.00% craftd
1079 root 1 76 0 2124K 776K select 0 0:01 0.00% watchdog
40 root 1 20 0 0K 16K vnlrum 0 0:01 0.00% vnlru_mem
1117 root 1 76 0 15700K 4252K select 0 0:01 0.00% appidd
162 root 1 -8 0 0K 16K mdwait 0 0:01 0.00% md1
1101 root 1 139 0 8536K 3420K select 0 0:01 0.00% dhcpd
29 root 1 -28 -147 0K 16K WAIT 0 0:01 0.00% swi5: cambio
1110 root 2 93 0 10120K 3500K select 0 0:01 0.00% wwand
1119 root 1 76 0 10264K 3756K select 0 0:01 0.00% nstraced
1109 root 1 94 0 10276K 2944K select 0 0:00 0.00% sendd
1102 root 1 76 0 8216K 3008K select 0 0:00 0.00% pppd
1137 root 1 4 0 0K 16K peer_s 0 0:00 0.00% peer proxy
1127 root 1 76 0 9488K 2844K select 0 0:00 0.00% sdxd
1123 root 1 76 0 7560K 2400K select 0 0:00 0.00% smtpd
1112 root 1 94 0 7508K 2376K select 0 0:00 0.00% relayd
1288 root 1 20 0 4908K 2952K pause 0 0:00 0.00% csh
2305 root 1 20 0 4912K 2964K pause 0 0:00 0.00% csh
1107 root 1 95 0 7928K 2416K select 0 0:00 0.00% mplsoamd
936 root 1 8 0 2520K 836K nanslp 0 0:00 0.00% cron
46 root 1 -16 0 0K 16K psleep 0 0:00 0.00% vmuncachedaemon
1092 root 1 139 0 5584K 1800K select 0 0:00 0.00% inetd
39 root 1 -4 0 0K 16K vlruwt 0 0:00 0.00% vnlru
38 root 1 -16 0 0K 16K psleep 0 0:00 0.00% bufdaemon
42 root 1 -16 0 0K 16K sdflus 0 0:00 0.00% softdepflush
6 root 1 8 0 0K 16K - 0 0:00 0.00% thread taskq
1017 root 1 -8 0 0K 16K mdwait 0 0:00 0.00% md3
1081 root 1 84 0 2548K 1160K select 0 0:00 0.00% tnetd
1129 root 1 5 0 2640K 1172K ttyin 0 0:00 0.00% getty
846 root 1 76 0 2224K 1088K select 0 0:00 0.00% usbd
2797 root 1 76 0 24116K 1776K CPU0 0 0:00 0.00% top
8 root 1 -16 0 0K 16K psleep 0 0:00 0.00% pagedaemon
1008 root 1 -8 0 0K 16K mdwait 0 0:00 0.00% md2
31 root 1 -48 -167 0K 16K WAIT 0 0:00 0.00% swi0: uart
0 root 1 12 0 0K 0K WAIT 0 0:00 0.00% swapper
33 root 1 8 0 0K 16K usbevt 0 0:00 0.00% usb0
47 root 1 4 0 0K 16K pfeacc 0 0:00 0.00% if_pfe_listen
44 root 1 4 0 0K 16K pfeacc 0 0:00 0.00% if_pic_listen0
7 root 1 8 0 0K 16K - 0 0:00 0.00% kqueue taskq
48 root 1 8 0 0K 16K - 0 0:00 0.00% nfsiod 0
49 root 1 8 0 0K 16K - 0 0:00 0.00% nfsiod 1
43 root 1 76 0 0K 16K sleep 0 0:00 0.00% netdaemon
51 root 1 8 0 0K 16K - 0 0:00 0.00% nfsiod 3
50 root 1 8 0 0K 16K - 0 0:00 0.00% nfsiod 2
34 root 1 8 0 0K 16K usbtsk 0 0:00 0.00% usbtask
10 root 1 -16 0 0K 16K ktrace 0 0:00 0.00% ktrace
30 root 1 -12 -131 0K 16K WAIT 0 0:00 0.00% swi9: task queue
27 root 1 -12 -131 0K 16K WAIT 0 0:00 0.00% swi9: +
28 root 1 -16 -135 0K 16K WAIT 0 0:00 0.00% swi8: +
25 root 1 -24 -143 0K 16K WAIT 0 0:00 0.00% swi6: vm
36 root 1 -32 -151 0K 16K WAIT 0 0:00 0.00% swi4: ip6mismatch+
35 root 1 -36 -155 0K 16K WAIT 0 0:00 0.00% swi3: ip6opt ipopt
37 root 1 -44 -163 0K 16K WAIT 0 0:00 0.00% swi1: ipfwd
17 root 1 171 52 0K 16K CPU0 0 0:00 0.00% idle: cpu5
16 root 1 171 52 0K 16K CPU0 0 0:00 0.00% idle: cpu6
15 root 1 171 52 0K 16K CPU0 0 0:00 0.00% idle: cpu7
20 root 1 171 52 0K 16K CPU0 0 0:00 0.00% idle: cpu2
13 root 1 171 52 0K 16K CPU0 0 0:00 0.00% idle: cpu9
12 root 1 171 52 0K 16K CPU0 0 0:00 0.00% idle: cpu10
11 root 1 171 52 0K 16K CPU0 0 0:00 0.00% idle: cpu11
14 root 1 171 52 0K 16K CPU0 0 0:00 0.00% idle: cpu8
19 root 1 171 52 0K 16K CPU0 0 0:00 0.00% idle: cpu3
18 root 1 171 52 0K 16K CPU0 0 0:00 0.00% idle: cpu4

root@srx> show chassis routing-engine
Routing Engine status:
Temperature 54 degrees C / 129 degrees F
Total memory 1024 MB Max 563 MB used ( 55 percent)
Control plane memory 560 MB Max 364 MB used ( 65 percent)
Data plane memory 464 MB Max 204 MB used ( 44 percent)
CPU utilization:
User 16 percent
Background 0 percent
Kernel 10 percent
Interrupt 0 percent
Idle 74 percent
Model RE-SRX210H
Serial ID
Start time 2015-06-12 00:37:59 CDT
Uptime 1 hour, 41 minutes, 33 seconds
Last reboot reason 0x200:chassis control reset
Load averages: 1 minute 5 minute 15 minute
0.22 0.48 1.12

Between Samc's URL for adding the ntp firewall and MarcB's lines of code, I was able to compile the following firewall rule which resolved my issue so far.....

root@srx# show firewall
family inet {
filter local_acl {
term terminal_access {
from {
address {
192.168.1.0/24;
10.10.0.0/24;
}
protocol [ tcp udp ];
port [ ssh telnet ntp ];
}
then accept;
}
term terminal_access_denied {
from {
protocol [ tcp udp ];
port [ ssh telnet ntp ];
}
then {
discard;
}
}
term default-term {
then accept;
}
}
}