Juniper SSH防护

很多客户的防火墙都有被Hack 过的经历吧，特别是Netscreen的设备，初始登录信息都是netscreen/netscreen.
在SRX上默认的登录用户是root，同样会有很多人对设备进行SSH的嗅探，如果你设置了syslog，在cli里面
show log message 的时候很容易看到下面的信息吧。现在介绍几种基本针对SSH的防护。
1，对普通的SSH登录进行限制；
2，在loopback口上对特定源目地址的SSH进行放行或是拒绝；
3，改变SSH的默认登录端口。
Nov 11 23:05:01 TB-RD-FW-P newsyslog[44691]: logfile turned over due to size>100K
Nov 11 23:05:06 TB-RD-FW-P sshd[44685]: Received disconnect from 61.143.139.10: 11: Bye Bye [preauth]
Nov 11 23:05:07 TB-RD-FW-P sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '61.143.139.10'
Nov 11 23:05:07 TB-RD-FW-P sshd[44693]: Failed password for root from 61.143.139.10 port 35569 ssh2
Nov 11 23:05:12 TB-RD-FW-P sshd[44693]: Received disconnect from 61.143.139.10: 11: Bye Bye [preauth]
Nov 11 23:05:13 TB-RD-FW-P sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '61.143.139.10'
Nov 11 23:05:13 TB-RD-FW-P sshd[44696]: Failed password for root from 61.143.139.10 port 39821 ssh2
Nov 11 23:05:19 TB-RD-FW-P sshd[44696]: Received disconnect from 61.143.139.10: 11: Bye Bye [preauth]
Nov 11 23:05:20 TB-RD-FW-P sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '61.143.139.10'
Nov 11 23:05:20 TB-RD-FW-P sshd[44698]: Failed password for root from 61.143.139.10 port 44476 ssh2

先讲讲第一种，简单有效，基本配置如下：
set system services ssh root-login deny >>>>>>>>拒绝root用户登录
set system services ssh connection-limit 3 >>>>>>>>同时登录的session 数为3
set system services ssh rate-limit 3 >>>>>>>>每分钟尝试次数为3
set system login retry-options minimum-time 30 >>>>>>>>登录失败等待时间
set system login retry-options maximum-time 100 >>>>>>>>登录时设备的等待时间
set system login retry-options lockout-period 30 >>>>>>>>锁定时间

Junos 的loopback 口有几种功能，cisco一般是用来做动态路由的router-id,在Juniper中还可以做为数据层和控制层的interface，
当我们在loopback口上开启了protect的时候，可以很有效的防御NTP，SSH等***。
基本配置如下：
set interfaces lo0 unit 0 family inet filter input RE-protection
set firewall family inet filter RE-protection term alw-ssh from source-address 172.16.255.0/24
set firewall family inet filter RE-protection term alw-ssh from source-address 10.200.255.0/24
set firewall family inet filter RE-protection term alw-ssh from protocol tcp
set firewall family inet filter RE-protection term alw-ssh from port ssh
set firewall family inet filter RE-protection term alw-ssh then accept
set firewall family inet filter RE-protection term deny-ssh from protocol tcp
set firewall family inet filter RE-protection term deny-ssh from port ssh
set firewall family inet filter RE-protection term deny-ssh then count ssh-deny
set firewall family inet filter RE-protection term deny-ssh then log
set firewall family inet filter RE-protection term deny-ssh then discard
set firewall family inet filter RE-protection term alw-ntp from source-address 10.200.254.0/24
set firewall family inet filter RE-protection term alw-ntp from protocol tcp
set firewall family inet filter RE-protection term alw-ntp from port ntp
set firewall family inet filter RE-protection term alw-ntp then accept
set firewall family inet filter RE-protection term deny-ntp from protocol tcp
set firewall family inet filter RE-protection term deny-ntp from port ntp
set firewall family inet filter RE-protection term deny-ntp then count deny-ntp
set firewall family inet filter RE-protection term deny-ntp then log
set firewall family inet filter RE-protection term deny-ntp then discard
set firewall family inet filter RE-protection term else-all then accept

效果如下
root# run show firewall log
Log :
Time Filter Action Interface Protocol Src Addr Dest Addr
10:18:14 pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100
10:18:11 pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100
10:18:08 pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100
10:18:02 pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100
10:17:59 pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100

第三种方式是将SSH的port 重定向，在之前的NAT实用小技巧中有提到过的：
从这部分配置可以看出，lo0.0 是放行了ssh 的host-inbound-traffic，ge-0/0/0.0默认都拒绝；
set interfaces lo0 unit 0 family inet address 10.220.1.254/32
set security zones security-zone trust address-book address lo-ssh 10.220.1.254/32
set security zones security-zone trust interfaces lo0.0 host-inbound-traffic system-services ssh
set interfaces ge-0/0/0 unit 0 family inet address 10.101.5.100/24
set security zones security-zone untrust interfaces ge-0/0/0.0
现在就是基本的nat 配置了：
set security nat destination pool lo-ssh address 10.220.1.254/32
set security nat destination pool lo-ssh address port 22
set security nat destination rule-set 001 from zone untrust

还有种方法是使用dynamic *** 的方式通过IPSec的方式实现登录。

转载于:https://blog.51cto.com/10242469/2056547

Juniper SSH防护相关推荐

ssh暴力破解防护软件
ssh暴力破解一直是个头疼的问题. 今天下决心来解决下.免密登录是终极解决方法.但是有时候确实不太方便(随时携带密钥,或者放到云盘里面). google后发现一款ssh防护软件,好用它会根据log自 ...
(转)SSH批量分发管理非交互式expect
目录 1 SSH批量分发管理 1.1 测试环境 1.2 批量管理步骤 1.3 批量分发管理实例 1.3.1 利用sudo提权来实现没有权限的用户拷贝 1.3.2 利用sudo提权开发管理脚本 1.3. ...
ssh 和 fail2ban 的安全设置
选择 Debian-8 作为 vps 的操作系统,配置好 ssh 以及安全环境必不可少.选择 fail2ban 软件,通过扫描 log 文件发现恶意攻击者并自动 drop 流量同时通知管理员. ssh ...
LNMP架构的搭建--源码编译(MYSQL,PHP,nginx)
1.基础知识 1. LNMP架构: LNMP是指一组通常一起使用来运行动态网站或者服务器的自由软件名称首字母缩写.L指Linux,N指Nginx,M一般指MySQL,也可以指MariaDB,P一般指P ...
LNMP一键安装包+Thinkphp搭建基于pathinfo模式的路由(可以去除url中的.php)
LNMP一键安装包是一个用Linux Shell编写的可以为CentOS/RadHat/Fedora.Debian/Ubuntu/Raspbian/Deepin VPS或独立主机安装LNMP(Ngin ...
Centos8（Liunx）中安装PHP7.4 的三种方法和删除它的三种方法
编译安装 Centos8下PHP源码编译和通过yum安装的区别和以后的选择其实这两种方法各有千秋: yum安装: 从yum安装来说吧,yum相当于是自动化帮你安装,你不用管软件的依赖关系,在yum安 ...
安全设备默认地址账密总结
防火墙厂商默认地址用户名密码天融信 192.168.1.254 superman talent/talent@123 华为 192.168.0.1:8443 admin Huawei@123 ...
关于 Linux 中安全方面的一些笔记
写在前面笔记是学习整理的,大都老师讲课内容,适合温习,不适合新手.整理了一份,希望对小伙伴有帮助. 生活加油,天天开心!博文主要围绕以几个方面: Linux基本防护:账户安全.文件系统安全.关闭不需 ...
四千多个厂商默认帐号、默认密码
设备默认账号默认密码致远OA sangfor admin1 audit-admin group-admin system 123456 123456 123456 泛微OA sysadmin 1 ...

Juniper SSH防护

Juniper SSH防护相关推荐

最新文章

热门文章