Juniper SSH防护
很多客户的防火墙都有被Hack 过的经历吧,特别是Netscreen的设备,初始登录信息都是netscreen/netscreen.在SRX上默认的登录用户是root,同样会有很多人对设备进行SSH的嗅探,如果你设置了syslog,在cli里面
show log message 的时候很容易看到下面的信息吧。现在介绍几种基本针对SSH的防护。
1,对普通的SSH登录进行限制;
2,在loopback口上对特定源目地址的SSH进行放行或是拒绝;
3,改变SSH的默认登录端口。
Nov 11 23:05:01 TB-RD-FW-P newsyslog: logfile turned over due to> Nov 11 23:05:06TB-RD-FW-P sshd: Received disconnect from 61.143.139.10: 11: Bye Bye
Nov 11 23:05:07TB-RD-FW-P sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '61.143.139.10'
Nov 11 23:05:07TB-RD-FW-P sshd: Failed password for root from 61.143.139.10 port 35569 ssh2
Nov 11 23:05:12TB-RD-FW-P sshd: Received disconnect from 61.143.139.10: 11: Bye Bye
Nov 11 23:05:13TB-RD-FW-P sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '61.143.139.10'
Nov 11 23:05:13TB-RD-FW-P sshd: Failed password for root from 61.143.139.10 port 39821 ssh2
Nov 11 23:05:19TB-RD-FW-P sshd: Received disconnect from 61.143.139.10: 11: Bye Bye
Nov 11 23:05:20TB-RD-FW-P sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '61.143.139.10'
Nov 11 23:05:20TB-RD-FW-P sshd: Failed password for root from 61.143.139.10 port 44476 ssh2
先讲讲第一种,简单有效,基本配置如下:
set system services ssh root-login deny>>>>>>>>拒绝root用户登录
set system services ssh connection-limit 3>>>>>>>>同时登录的session 数为3
set system services ssh rate-limit 3 >>>>>>>>每分钟尝试次数为3
set system login retry-options minimum-time 30 >>>>>>>>登录失败等待时间
set system login retry-options maximum-time 100>>>>>>>>登录时设备的等待时间
set system login retry-options lockout-period 30>>>>>>>>锁定时间
Junos 的loopback 口有几种功能,cisco一般是用来做动态路由的router-id,在Juniper中还可以做为数据层和控制层的interface,
当我们在loopback口上开启了protect的时候,可以很有效的防御NTP,SSH等***。
基本配置如下:
set interfaces lo0 unit 0 family inet filter input RE-protection
set firewall family inet filter RE-protection term alw-ssh from source-address 172.16.255.0/24
set firewall family inet filter RE-protection term alw-ssh from source-address 10.200.255.0/24
set firewall family inet filter RE-protection term alw-ssh from protocol tcp
set firewall family inet filter RE-protection term alw-ssh from port ssh
set firewall family inet filter RE-protection term alw-ssh then accept
set firewall family inet filter RE-protection term deny-ssh from protocol tcp
set firewall family inet filter RE-protection term deny-ssh from port ssh
set firewall family inet filter RE-protection term deny-ssh then count ssh-deny
set firewall family inet filter RE-protection term deny-ssh then log
set firewall family inet filter RE-protection term deny-ssh then discard
set firewall family inet filter RE-protection term alw-ntp from source-address 10.200.254.0/24
set firewall family inet filter RE-protection term alw-ntp from protocol tcp
set firewall family inet filter RE-protection term alw-ntp from port ntp
set firewall family inet filter RE-protection term alw-ntp then accept
set firewall family inet filter RE-protection term deny-ntp from protocol tcp
set firewall family inet filter RE-protection term deny-ntp from port ntp
set firewall family inet filter RE-protection term deny-ntp then count deny-ntp
set firewall family inet filter RE-protection term deny-ntp then log
set firewall family inet filter RE-protection term deny-ntp then discard
set firewall family inet filter RE-protection term else-all then accept
效果如下
root# run show firewall log
Log :
Time Filter Action Interface Protocol Src Addr Dest Addr
10:18:14pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100
10:18:11pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100
10:18:08pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100
10:18:02pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100
10:17:59pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100
第三种方式是将SSH的port 重定向,在之前的NAT实用小技巧中有提到过的:
从这部分配置可以看出,lo0.0 是放行了ssh 的host-inbound-traffic,ge-0/0/0.0默认都拒绝;
set interfaces lo0 unit 0 family inet address 10.220.1.254/32
set security zones security-zone trust address-book address lo-ssh 10.220.1.254/32
set security zones security-zone trust interfaces lo0.0 host-inbound-traffic system-services ssh
set interfaces ge-0/0/0 unit 0 family inet address 10.101.5.100/24
set security zones security-zone untrust interfaces ge-0/0/0.0
现在就是基本的nat 配置了:
set security nat destination pool lo-ssh address 10.220.1.254/32
set security nat destination pool lo-ssh address port 22
set security nat destination rule-set 001 from zone untrust
还有种方法是使用dynamic *** 的方式通过IPSec的方式实现登录。
页:
[1]