SRX Services Gateway
SRX Services Gateway

drop brute force attacks with IDP example

‎06-23-2011 10:36 PM

Hi there.  I searched high and low for a simple "how to" to drop brute force stuff.  I've got a customer with bare RDP exposed to the world and was getting all sorts of random brute force attempts.  I just wanted this:

 

if $src connects to 3389 $x times in one minute; then

  drop traffic from $src for $y time

 

I figured it out and in hindsight it's not complicated, but I'm new to junos (but it's comfy), SRXes (which are bugging me a little), and juniper IDP (also a little irritating without NSM apparently...)

 

So, I thought I'd post this here for other googlers (rule 1 isn't specific to this)

 

set security idp idp-policy simple-idp-policy rulebase-ips rule 1 match from-zone any
set security idp idp-policy simple-idp-policy rulebase-ips rule 1 match source-address any
set security idp idp-policy simple-idp-policy rulebase-ips rule 1 match to-zone any
set security idp idp-policy simple-idp-policy rulebase-ips rule 1 match destination-address any
set security idp idp-policy simple-idp-policy rulebase-ips rule 1 match application default
set security idp idp-policy simple-idp-policy rulebase-ips rule 1 match attacks predefined-attack-groups Critical
set security idp idp-policy simple-idp-policy rulebase-ips rule 1 then action drop-connection
set security idp idp-policy simple-idp-policy rulebase-ips rule 1 then notification log-attacks alert
set security idp idp-policy simple-idp-policy rulebase-ips rule 1 then severity critical
set security idp idp-policy simple-idp-policy rulebase-ips rule 2 match from-zone any
set security idp idp-policy simple-idp-policy rulebase-ips rule 2 match source-address any
set security idp idp-policy simple-idp-policy rulebase-ips rule 2 match to-zone any
set security idp idp-policy simple-idp-policy rulebase-ips rule 2 match destination-address any
set security idp idp-policy simple-idp-policy rulebase-ips rule 2 match application default
set security idp idp-policy simple-idp-policy rulebase-ips rule 2 match attacks custom-attacks MY:RDP:CON:RATE-LIMIT
set security idp idp-policy simple-idp-policy rulebase-ips rule 2 then action close-client-and-server
set security idp idp-policy simple-idp-policy rulebase-ips rule 2 then ip-action ip-close
set security idp idp-policy simple-idp-policy rulebase-ips rule 2 then ip-action target source-address
set security idp idp-policy simple-idp-policy rulebase-ips rule 2 then ip-action timeout 30
set security idp idp-policy simple-idp-policy rulebase-ips rule 2 then notification log-attacks alert
set security idp idp-policy simple-idp-policy rulebase-ips rule 2 then severity major
set security idp active-policy simple-idp-policy
set security idp custom-attack MY:RDP:CON:RATE-LIMIT severity major
set security idp custom-attack MY:RDP:CON:RATE-LIMIT time-binding count 3
set security idp custom-attack MY:RDP:CON:RATE-LIMIT time-binding scope source
set security idp custom-attack MY:RDP:CON:RATE-LIMIT attack-type signature context first-data-packet
set security idp custom-attack MY:RDP:CON:RATE-LIMIT attack-type signature pattern .*
set security idp custom-attack MY:RDP:CON:RATE-LIMIT attack-type signature direction client-to-server
set security idp custom-attack MY:RDP:CON:RATE-LIMIT attack-type signature protocol tcp destination-port match equal
set security idp custom-attack MY:RDP:CON:RATE-LIMIT attack-type signature protocol tcp destination-port value 3389
set security idp traceoptions file size 10m
set security idp traceoptions flag all
set security idp traceoptions level all
set security idp sensor-configuration log suppression disable

2 REPLIES 2
SRX Services Gateway

Re: drop brute force attacks with IDP example

‎09-22-2017 09:38 AM

I know this is an old post but i don't care.  Helped me a ton.  Kudos to you

 

Ryan

 

SRX Services Gateway

Re: drop brute force attacks with IDP example

‎09-22-2017 09:48 AM

[edit system login retry-options]

-backoff-threshold (1-3) - how many incorrect logins attempts before the delay time is increased as setting the :

-backoff-factor (1-10 seconds) (how to wait before presenting the user with a login prompt)

-tries-before-disconnect (# incorrect login attempts to allow before terminating the telnet/ssh session and allow the user to connect again

-lockout-period (how long minutes to lockout a user account before enabling that account again) >show system login lockout

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]