Block SSH Login Attack in Juniper SRX

Share This Article: Share on Facebook0Share on Google+1Tweet about this on TwitterShare on LinkedIn0Pin on Pinterest0Email this to someone

In JunOS, the default port number for SSH protocol is 22. As of writing this article, Juniper recommended version for Junos OS is 11.4R5.5 for SRX100 to SRX 240 and SRX650 model. Up to now there is no functionality of Junos to change the default port number of SSH protocol. Since 22 is the only port number for SSH login, SRX device gets maximum brute force attacks on port 22. But the good news is, even though we can’t change the default port number of SSH, we can block SSH login attack in Juniper SRX devices. Brute force attack is a type of password attack that constantly tries random username and password. Today I will show you how to secure your SRX device from SSH login attack.

Block SSH Login Attack in Juniper SRX

Block SSH Login Attack in Juniper SRX

To block the SSH login attack, create a filter and apply it to loopback interface. At first list the trusted IP addresses that will be allowed to access the device and then create prefix-list under policy-options.

[edit policy-options]
root@SRX240# edit prefix-list Trusted_IP_Address
[edit policy-options prefix-list Trusted_IP_Address]
root@SRX240# set 111.11.1.1/32
[edit policy-options prefix-list Trusted_IP_Address]
root@SRX240# set 22.2.2.2/32
[edit policy-options prefix-list Trusted_IP_Address]
root@SRX240# set 33.3.3.3/32

Now create firewall filter. We will create filter named sshFilter. The first term name will be Trusted_SSH_Login that will hold trusted IP addresses. 

[edit firewall family inet filter sshFilter]
root@SRX240# edit term Trusted_SSH_Login
[edit firewall family inet filter sshFilter term Trusted_SSH_Login]
root@SRX240# set from source-prefix-list Trusted_IP_Address except
[edit firewall family inet filter sshFilter term Trusted_SSH_Login]
root@SRX240# set from protocol tcp
[edit firewall family inet filter sshFilter term Trusted_SSH_Login]
root@SRX240# set from destination-port ssh
[edit firewall family inet filter sshFilter term Trusted_SSH_Login]
root@SRX240# set then discard

Now, don’t forget the final term to allow everything else. If you forget this term then you will find yourself locked.

[edit firewall family inet filter sshFilter term Allow_Everything_Else]
root@SRX240# set then accept

You can view the firewall filter by typing show command under [edit firewall family inet filter sshFilter] hierarchy,

[edit firewall family inet filter sshFilter]
root@SRX210# show
term Trusted_SSH_Login {
from {
source-prefix-list {
Trusted_IP_Address except;
}
protocol tcp;
destination-port ssh;
}
then discard;
}
}
term Allow_Everything_Else{
then accept;
}

Now apply the firewall filter in loopback (lo0) interface in inbound or input direction.

[edit]
root@SRX210# set interfaces lo0 unit 0 family inet filter input sshFilter

Firewall filters will block attack at the very edge level. In JunOS the packet is first analyze by filters and sent to other path in packet flow process.

There is another way to control login attempts in Juniper devices. The other way is by limiting the number of failed attempts and some threshold parameters. This configuration is applied to all users login in the device. The configuration is done in [edit system login retry-options] hierarchy.

[edit system login retry-options] 
user@host# set tries-before-disconnect 10 {This is the no. of times that a user is allowed to try password}
user@host# set backoff-threshold 2 {This is no. of password failures before delay is in effect}
user@host# set backoff-factor 5 {After backoff-threshold is in effect the user is blocked for 5 seconds}
user@host# set minimum-time 20 {As user gets prompt to enter user/pass, he/she has 20 seconds to enter it}
 
The following two tabs change content below.
Bipin is a freelance Network and System Engineer with expertise on Cisco, Juniper, Microsoft, VMware, and other technologies. You can hire him on UpWork . Follow Bipin Giri on Google+. Bipin enjoys writing articles and tutorials related to Network technologies. Some of his certifications are, MCSE:Messaging, JNCIP-SEC, JNCIS-ENT, and others.