Juniper SSH防护

发布时间:2020-05-23 18:13:18 作者:Bcheng7
来源:网络 阅读:1979

很多客户的防火墙都有被Hack 过的经历吧,特别是Netscreen的设备,初始登录信息都是netscreen/netscreen.
在SRX上默认的登录用户是root,同样会有很多人对设备进行SSH的嗅探,如果你设置了syslog,在cli里面
show log message 的时候很容易看到下面的信息吧。现在介绍几种基本针对SSH的防护。
1,对普通的SSH登录进行限制;
2,在loopback口上对特定源目地址的SSH进行放行或是拒绝;
3,改变SSH的默认登录端口。
Nov 11 23:05:01 TB-RD-FW-P newsyslog[44691]: logfile turned over due to size>100K
Nov 11 23:05:06 TB-RD-FW-P sshd[44685]: Received disconnect from 61.143.139.10: 11: Bye Bye [preauth]
Nov 11 23:05:07 TB-RD-FW-P sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '61.143.139.10'
Nov 11 23:05:07 TB-RD-FW-P sshd[44693]: Failed password for root from 61.143.139.10 port 35569 ssh3
Nov 11 23:05:12 TB-RD-FW-P sshd[44693]: Received disconnect from 61.143.139.10: 11: Bye Bye [preauth]
Nov 11 23:05:13 TB-RD-FW-P sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '61.143.139.10'
Nov 11 23:05:13 TB-RD-FW-P sshd[44696]: Failed password for root from 61.143.139.10 port 39821 ssh3
Nov 11 23:05:19 TB-RD-FW-P sshd[44696]: Received disconnect from 61.143.139.10: 11: Bye Bye [preauth]
Nov 11 23:05:20 TB-RD-FW-P sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '61.143.139.10'
Nov 11 23:05:20 TB-RD-FW-P sshd[44698]: Failed password for root from 61.143.139.10 port 44476 ssh3

先讲讲第一种,简单有效,基本配置如下:
set system services ssh root-login deny >>>>>>>>拒绝root用户登录
set system services ssh connection-limit 3 >>>>>>>>同时登录的session 数为3
set system services ssh rate-limit 3 >>>>>>>>每分钟尝试次数为3
set system login retry-options minimum-time 30 >>>>>>>>登录失败等待时间
set system login retry-options maximum-time 100 >>>>>>>>登录时设备的等待时间
set system login retry-options lockout-period 30 >>>>>>>>锁定时间

Junos 的loopback 口有几种功能,cisco一般是用来做动态路由的router-id,在Juniper中还可以做为数据层和控制层的interface,
当我们在loopback口上开启了protect的时候,可以很有效的防御NTP,SSH等***。
基本配置如下:
set interfaces lo0 unit 0 family inet filter input RE-protection
set firewall family inet filter RE-protection term alw-ssh from source-address 172.16.255.0/24
set firewall family inet filter RE-protection term alw-ssh from source-address 10.200.255.0/24
set firewall family inet filter RE-protection term alw-ssh from protocol tcp
set firewall family inet filter RE-protection term alw-ssh from port ssh
set firewall family inet filter RE-protection term alw-ssh then accept
set firewall family inet filter RE-protection term deny-ssh from protocol tcp
set firewall family inet filter RE-protection term deny-ssh from port ssh
set firewall family inet filter RE-protection term deny-ssh then count ssh-deny
set firewall family inet filter RE-protection term deny-ssh then log
set firewall family inet filter RE-protection term deny-ssh then discard
set firewall family inet filter RE-protection term alw-ntp from source-address 10.200.254.0/24
set firewall family inet filter RE-protection term alw-ntp from protocol tcp
set firewall family inet filter RE-protection term alw-ntp from port ntp
set firewall family inet filter RE-protection term alw-ntp then accept
set firewall family inet filter RE-protection term deny-ntp from protocol tcp
set firewall family inet filter RE-protection term deny-ntp from port ntp
set firewall family inet filter RE-protection term deny-ntp then count deny-ntp
set firewall family inet filter RE-protection term deny-ntp then log
set firewall family inet filter RE-protection term deny-ntp then discard
set firewall family inet filter RE-protection term else-all then accept

效果如下
root# run show firewall log
Log :
Time Filter Action Interface Protocol Src Addr Dest Addr
10:18:14 pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100
10:18:11 pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100
10:18:08 pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100
10:18:02 pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100
10:17:59 pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100

第三种方式是将SSH的port 重定向,在之前的NAT实用小技巧中有提到过的:
从这部分配置可以看出,lo0.0 是放行了ssh 的host-inbound-traffic,ge-0/0/0.0默认都拒绝;
set interfaces lo0 unit 0 family inet address 10.220.1.254/32
set security zones security-zone trust address-book address lo-ssh 10.220.1.254/32
set security zones security-zone trust interfaces lo0.0 host-inbound-traffic system-services ssh
set interfaces ge-0/0/0 unit 0 family inet address 10.101.5.100/24
set security zones security-zone untrust interfaces ge-0/0/0.0
现在就是基本的nat 配置了:
set security nat destination pool lo-ssh address 10.220.1.254/32
set security nat destination pool lo-ssh address port 22
set security nat destination rule-set 001 from zone untrust

还有种方法是使用dynamic *** 的方式通过IPSec的方式实现登录。

推荐阅读:
  1. centos密钥登录
  2. 某虚拟化防火墙测试报告及厂家答疑

免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。

juniper ssh ntp

上一篇:Online Redo Log File(联机重做日志)

下一篇:QT 全屏显示子窗口

相关阅读

您好,登录后才能下订单哦!

密码登录
登录注册
其他方式登录
点击 登录注册 即表示同意《亿速云用户服务条款》