In JunOS, the default port number for SSH protocol is 22. As of writing this article, Juniper recommended version for Junos OS is 11.4R5.5 for SRX100 to SRX 240 and SRX650 model. Up to now there is no functionality of Junos to change the default port number of SSH protocol. Since 22 is the only port number for SSH login, SRX device gets maximum brute force attacks on port 22. But the good news is, even though we can’t change the default port number of SSH, we can block SSH login attack in Juniper SRX devices. Brute force attack is a type of password attack that constantly tries random username and password. Today I will show you how to secure your SRX device from SSH login attack.
Block SSH Login Attack in Juniper SRX
To block the SSH login attack, create a filter and apply it to loopback interface. At first list the trusted IP addresses that will be allowed to access the device and then create prefix-list under policy-options.
[edit policy-options] root@SRX240# edit prefix-list Trusted_IP_Address [edit policy-options prefix-list Trusted_IP_Address] root@SRX240# set 111.11.1.1/32 [edit policy-options prefix-list Trusted_IP_Address] root@SRX240# set 22.2.2.2/32 [edit policy-options prefix-list Trusted_IP_Address] root@SRX240# set 33.3.3.3/32Now create firewall filter. We will create filter named sshFilter. The first term name will be Trusted_SSH_Login that will hold trusted IP addresses.
[edit firewall family inet filter sshFilter]root@SRX240# edit term Trusted_SSH_Login
[edit firewall family inet filter sshFilter term Trusted_SSH_Login]
root@SRX240# set from source-prefix-list Trusted_IP_Address except
[edit firewall family inet filter sshFilter term Trusted_SSH_Login]
root@SRX240# set from protocol tcp
[edit firewall family inet filter sshFilter term Trusted_SSH_Login]
root@SRX240# set from destination-port ssh
[edit firewall family inet filter sshFilter term Trusted_SSH_Login]
root@SRX240# set then discard
Now, don’t forget the final term to allow everything else. If you forget this term then you will find yourself locked.
You can view the firewall filter by typing show command under [edit firewall family inet filter sshFilter] hierarchy,
[edit firewall family inet filter sshFilter] root@SRX210# show term Trusted_SSH_Login { from { source-prefix-list { Trusted_IP_Address except; } protocol tcp; destination-port ssh; } then discard; } } term Allow_Everything_Else{ then accept; }Now apply the firewall filter in loopback (lo0) interface in inbound or input direction.
[edit] root@SRX210# set interfaces lo0 unit 0 family inet filter input sshFilterFirewall filters will block attack at the very edge level. In JunOS the packet is first analyze by filters and sent to other path in packet flow process.
There is another way to control login attempts in Juniper devices. The other way is by limiting the number of failed attempts and some threshold parameters. This configuration is applied to all users login in the device. The configuration is done in [edit system login retry-options] hierarchy.
[edit system login retry-options] user@host# set tries-before-disconnect 10 {This is the no. of times that a user is allowed to try password}user@host# set backoff-threshold 2 {This is no. of password failures before delay is in effect}
user@host# set backoff-factor 5 {After backoff-threshold is in effect the user is blocked for 5 seconds}
user@host# set minimum-time 20 {As user gets prompt to enter user/pass, he/she has 20 seconds to enter it}
You may also like -
Latest posts by Bipin (see all)
- Install Exchange 2019 in Windows Server 2019 - November 28, 2020
- Why Backup your Microsoft Office 365 - November 27, 2020
- What’s New in VMware vSphere 7 - September 18, 2020