Juniper SSH防护

ywg

　　很多客户的防火墙都有被Hack 过的经历吧，特别是Netscreen的设备，初始登录信息都是netscreen/netscreen.
　　在SRX上默认的登录用户是root，同样会有很多人对设备进行SSH的嗅探，如果你设置了syslog，在cli里面
　　show log message 的时候很容易看到下面的信息吧。现在介绍几种基本针对SSH的防护。
　　1，对普通的SSH登录进行限制；
　　2，在loopback口上对特定源目地址的SSH进行放行或是拒绝；
　　3，改变SSH的默认登录端口。

　　Nov 11 23:05:01 TB-RD-FW-P newsyslog[44691]: logfile turned over due to>　　Nov 11 23:05:06  TB-RD-FW-P sshd[44685]: Received disconnect from 61.143.139.10: 11: Bye Bye [preauth]
　　Nov 11 23:05:07  TB-RD-FW-P sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '61.143.139.10'
　　Nov 11 23:05:07  TB-RD-FW-P sshd[44693]: Failed password for root from 61.143.139.10 port 35569 ssh2
　　Nov 11 23:05:12  TB-RD-FW-P sshd[44693]: Received disconnect from 61.143.139.10: 11: Bye Bye [preauth]
　　Nov 11 23:05:13  TB-RD-FW-P sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '61.143.139.10'
　　Nov 11 23:05:13  TB-RD-FW-P sshd[44696]: Failed password for root from 61.143.139.10 port 39821 ssh2
　　Nov 11 23:05:19  TB-RD-FW-P sshd[44696]: Received disconnect from 61.143.139.10: 11: Bye Bye [preauth]
　　Nov 11 23:05:20  TB-RD-FW-P sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '61.143.139.10'
　　Nov 11 23:05:20  TB-RD-FW-P sshd[44698]: Failed password for root from 61.143.139.10 port 44476 ssh2
　　先讲讲第一种，简单有效，基本配置如下：
　　set system services ssh root-login deny  >>>>>>>>拒绝root用户登录
　　set system services ssh connection-limit 3  >>>>>>>>同时登录的session 数为3
　　set system services ssh rate-limit 3   >>>>>>>>每分钟尝试次数为3
　　set system login retry-options minimum-time 30 >>>>>>>>登录失败等待时间
　　set system login retry-options maximum-time 100  >>>>>>>>登录时设备的等待时间
　　set system login retry-options lockout-period 30  >>>>>>>>锁定时间
　　Junos 的loopback 口有几种功能，cisco一般是用来做动态路由的router-id,在Juniper中还可以做为数据层和控制层的interface，
　　当我们在loopback口上开启了protect的时候，可以很有效的防御NTP，SSH等***。
　　基本配置如下：
　　set interfaces lo0 unit 0 family inet filter input RE-protection
　　set firewall family inet filter RE-protection term alw-ssh from source-address 172.16.255.0/24
　　set firewall family inet filter RE-protection term alw-ssh from source-address 10.200.255.0/24
　　set firewall family inet filter RE-protection term alw-ssh from protocol tcp
　　set firewall family inet filter RE-protection term alw-ssh from port ssh
　　set firewall family inet filter RE-protection term alw-ssh then accept
　　set firewall family inet filter RE-protection term deny-ssh from protocol tcp
　　set firewall family inet filter RE-protection term deny-ssh from port ssh
　　set firewall family inet filter RE-protection term deny-ssh then count ssh-deny
　　set firewall family inet filter RE-protection term deny-ssh then log
　　set firewall family inet filter RE-protection term deny-ssh then discard
　　set firewall family inet filter RE-protection term alw-ntp from source-address 10.200.254.0/24
　　set firewall family inet filter RE-protection term alw-ntp from protocol tcp
　　set firewall family inet filter RE-protection term alw-ntp from port ntp
　　set firewall family inet filter RE-protection term alw-ntp then accept
　　set firewall family inet filter RE-protection term deny-ntp from protocol tcp
　　set firewall family inet filter RE-protection term deny-ntp from port ntp
　　set firewall family inet filter RE-protection term deny-ntp then count deny-ntp
　　set firewall family inet filter RE-protection term deny-ntp then log
　　set firewall family inet filter RE-protection term deny-ntp then discard
　　set firewall family inet filter RE-protection term else-all then accept
　　效果如下
　　root# run show firewall log
　　Log :
　　Time      Filter    Action Interface     Protocol        Src Addr                         Dest Addr
　　10:18:14  pfe       D      ge-0/0/0.0    TCP             10.101.5.108                     10.101.5.100
　　10:18:11  pfe       D      ge-0/0/0.0    TCP             10.101.5.108                     10.101.5.100
　　10:18:08  pfe       D      ge-0/0/0.0    TCP             10.101.5.108                     10.101.5.100
　　10:18:02  pfe       D      ge-0/0/0.0    TCP             10.101.5.108                     10.101.5.100
　　10:17:59  pfe       D      ge-0/0/0.0    TCP             10.101.5.108                     10.101.5.100
　　第三种方式是将SSH的port 重定向，在之前的NAT实用小技巧中有提到过的：
　　从这部分配置可以看出，lo0.0 是放行了ssh 的host-inbound-traffic，ge-0/0/0.0默认都拒绝；
　　set interfaces lo0 unit 0 family inet address 10.220.1.254/32
　　set security zones security-zone trust address-book address lo-ssh 10.220.1.254/32
　　set security zones security-zone trust interfaces lo0.0 host-inbound-traffic system-services ssh
　　set interfaces ge-0/0/0 unit 0 family inet address 10.101.5.100/24
　　set security zones security-zone untrust interfaces ge-0/0/0.0
　　现在就是基本的nat 配置了：
　　set security nat destination pool lo-ssh address 10.220.1.254/32
　　set security nat destination pool lo-ssh address port 22
　　set security nat destination rule-set 001 from zone untrust
　　还有种方法是使用dynamic *** 的方式通过IPSec的方式实现登录。