SRX Services Gateway
Highlighted
SRX Services Gateway

Who is this trying to access my SRX from strange IPs??

‎12-16-2014 09:47 PM

Hello Team,

 

i see this in log messages, is someone trying access my SRX without my knowledge??

 

SP-LAN-FIREWALL sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '112.216.65.78'
Dec 16 06:55:12 SP-LAN-FIREWALL sshd[13551]: Failed password for root from 112.216.65.78 port 37787 ssh2
Dec 16 06:55:13 SP-LAN-FIREWALL sshd[13552]: Received disconnect from 112.216.65.78: 11: Bye Bye
Dec 16 06:55:16 SP-LAN-FIREWALL sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '112.216.65.78'
Dec 16 06:55:16 SP-LAN-FIREWALL sshd[13554]: Failed password for root from 112.216.65.78 port 38814 ssh2
Dec 16 06:55:17 SP-LAN-FIREWALL sshd[13555]: Received disconnect from 112.216.65.78: 11: Bye Bye
Dec 16 06:55:20 SP-LAN-FIREWALL sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '112.216.65.78'
Dec 16 06:55:20 SP-LAN-FIREWALL sshd[13556]: Failed password for root from 112.216.65.78 port 39645 ssh2
Dec 16 06:55:21 SP-LAN-FIREWALL sshd[13557]: Received disconnect from 112.216.65.78: 11: Bye Bye
Dec 16 06:55:24 SP-LAN-FIREWALL sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '112.216.65.78'
Dec 16 06:55:24 SP-LAN-FIREWALL sshd[13558]: Failed password for root from 112.216.65.78 port 40523 ssh2
Dec 16 06:55:25 SP-LAN-FIREWALL sshd[13559]: Received disconnect from 112.216.65.78: 11: Bye Bye
Dec 16 06:55:29 SP-LAN-FIREWALL sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '112.216.65.78'
Dec 16 06:55:29 SP-LAN-FIREWALL sshd[13560]: Failed password for root from 112.216.65.78 port 41482 ssh2

I have disabled SSH access on the UNTRUST ZONE and am still getting this messages.

9 REPLIES 9
Highlighted
SRX Services Gateway

Re: Who is this trying to access my SRX from strange IPs??

‎12-16-2014 10:03 PM

Disabling SSH under zone is not enough. Please use firewall filters as in below URL to protect RE.

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB19844

 

Thanks,

Suraj

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Highlighted
SRX Services Gateway

Re: Who is this trying to access my SRX from strange IPs??

‎12-18-2014 11:03 PM

it does not stop someone from trying and the system s letting you know someone is trying. geoIP location says this IP address is located in Seol S. Korea LG Dacom Corp.

Create a firewall filter as suggested and discard ssh traffic originating from

P Range - Start 112.216.0.0
IP Range - End 112.223.255.255

 

If you have no business dealings from that part of the world, then discard all traffic originating from that block of IP.

http://www.dnsstuff.com/tools#ipInformation|type=ipv4&&value=112.216.65.78

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Highlighted
SRX Services Gateway

Re: Who is this trying to access my SRX from strange IPs??

‎12-19-2014 11:13 AM

Hello

 

set system services ssh root-login deny, 

 

this will deny all root login attempts only way to use root at this point will be console.

 

 

Highlighted
SRX Services Gateway

Re: Who is this trying to access my SRX from strange IPs??

‎12-19-2014 02:07 PM

rsuraj has the right answer here.  Something that people who are new to SRX and Juniper in general often don't know is that even if you disable services in zones or on interface in zones, you still should have a filter applied to your loopback inteface to protect your routing engine.  While blocking specific IP addresses and denying root-login are both good suggestions, these are things that can be done in addition to, not in place of, a filter on the lo0 interface, even if lo0 doesn't have an IP address on it.

Highlighted
SRX Services Gateway

Re: Who is this trying to access my SRX from strange IPs??

‎12-20-2014 04:51 AM

Hi All

 

Although I agree that lo0 firewall filter is useful, its a huge
surprise for me to hear that disabling (= not enabling) SSH on the
untrust zone did not stop these attempts. This is not the way
host-inbound-traffic filters are supposed to work. Can you post the
untrust zone config here?

Best Regards,
PK

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
Twitter: @JuniperTrain
GitHub: https://github.com/pklimai
[Juniper Authorized Education & Support in Russia]
Highlighted
SRX Services Gateway

Re: Who is this trying to access my SRX from strange IPs??

‎12-20-2014 05:54 AM

That's actually a very good point, pk, and I'm Smiley Embarassed that I didn't even notice it.  

 

My guess is that SSH is disabled in the zone config, but perhaps there's a more specific interface configuration in the untrust zone that does not specifically disable SSH.

Highlighted
SRX Services Gateway

Re: Who is this trying to access my SRX from strange IPs??

‎12-20-2014 10:49 AM

hi all,

 

"Although I agree that lo0 firewall filter is useful, its a huge surprise for me to hear that disabling (= not enabling) SSH on the untrust zone did not stop these attempts."

I need a little help understanding how does what he does on the firewall affect what external users try to do? If he is not allowing protocol/port ssh from the untrusted zone, and applying firewall filters, then that does not stop people from trying to penetrate his firewall with ssh and whatever else they want to try. I agree looking at the configu would help, but it still does not prevent the "attemps". it seems to be working and logging the effort so thats a positive. Now he could try to log in with the root account and see if he is successful. Now that would a sure test.

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Highlighted
SRX Services Gateway

Re: Who is this trying to access my SRX from strange IPs??

‎12-20-2014 11:12 AM

Perhaps a more accurate way of putting this is prevent these log messages rather than attempts.

 

these logs can only be generated if you successfully get the login prompt and fail login using root.

 

The point is that if the zone does not have ssh on host inbound services no prompt is given hence no log could be generated.  Thus we suspect that the zone configuration is in some way incorrect per the desired effect.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: Who is this trying to access my SRX from strange IPs??

‎12-20-2014 11:14 AM
Thank you sir. Awesome.
[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Feedback