Hi there. I searched high and low for a simple "how to" to drop brute force stuff. I've got a customer with bare RDP exposed to the world and was getting all sorts of random brute force attempts. I just wanted this:
if $src connects to 3389 $x times in one minute; then
drop traffic from $src for $y time
I figured it out and in hindsight it's not complicated, but I'm new to junos (but it's comfy), SRXes (which are bugging me a little), and juniper IDP (also a little irritating without NSM apparently...)
So, I thought I'd post this here for other googlers (rule 1 isn't specific to this)
set security idp idp-policy simple-idp-policy rulebase-ips rule 1 match from-zone any
set security idp idp-policy simple-idp-policy rulebase-ips rule 1 match source-address any
set security idp idp-policy simple-idp-policy rulebase-ips rule 1 match to-zone any
set security idp idp-policy simple-idp-policy rulebase-ips rule 1 match destination-address any
set security idp idp-policy simple-idp-policy rulebase-ips rule 1 match application default
set security idp idp-policy simple-idp-policy rulebase-ips rule 1 match attacks predefined-attack-groups Critical
set security idp idp-policy simple-idp-policy rulebase-ips rule 1 then action drop-connection
set security idp idp-policy simple-idp-policy rulebase-ips rule 1 then notification log-attacks alert
set security idp idp-policy simple-idp-policy rulebase-ips rule 1 then severity critical
set security idp idp-policy simple-idp-policy rulebase-ips rule 2 match from-zone any
set security idp idp-policy simple-idp-policy rulebase-ips rule 2 match source-address any
set security idp idp-policy simple-idp-policy rulebase-ips rule 2 match to-zone any
set security idp idp-policy simple-idp-policy rulebase-ips rule 2 match destination-address any
set security idp idp-policy simple-idp-policy rulebase-ips rule 2 match application default
set security idp idp-policy simple-idp-policy rulebase-ips rule 2 match attacks custom-attacks MY:RDP:CON:RATE-LIMIT
set security idp idp-policy simple-idp-policy rulebase-ips rule 2 then action close-client-and-server
set security idp idp-policy simple-idp-policy rulebase-ips rule 2 then ip-action ip-close
set security idp idp-policy simple-idp-policy rulebase-ips rule 2 then ip-action target source-address
set security idp idp-policy simple-idp-policy rulebase-ips rule 2 then ip-action timeout 30
set security idp idp-policy simple-idp-policy rulebase-ips rule 2 then notification log-attacks alert
set security idp idp-policy simple-idp-policy rulebase-ips rule 2 then severity major
set security idp active-policy simple-idp-policy
set security idp custom-attack MY:RDP:CON:RATE-LIMIT severity major
set security idp custom-attack MY:RDP:CON:RATE-LIMIT time-binding count 3
set security idp custom-attack MY:RDP:CON:RATE-LIMIT time-binding scope source
set security idp custom-attack MY:RDP:CON:RATE-LIMIT attack-type signature context first-data-packet
set security idp custom-attack MY:RDP:CON:RATE-LIMIT attack-type signature pattern .*
set security idp custom-attack MY:RDP:CON:RATE-LIMIT attack-type signature direction client-to-server
set security idp custom-attack MY:RDP:CON:RATE-LIMIT attack-type signature protocol tcp destination-port match equal
set security idp custom-attack MY:RDP:CON:RATE-LIMIT attack-type signature protocol tcp destination-port value 3389
set security idp traceoptions file size 10m
set security idp traceoptions flag all
set security idp traceoptions level all
set security idp sensor-configuration log suppression disable
