很多客戶的防火墻都有被Hack 過(guò)的經(jīng)歷吧�����,特別是Netscreen的設(shè)備��,初始登錄信息都是netscreen/netscreen.
在SRX上默認(rèn)的登錄用戶是root����,同樣會(huì)有很多人對(duì)設(shè)備進(jìn)行SSH的嗅探����,如果你設(shè)置了syslog�����,在cli里面
show log message 的時(shí)候很容易看到下面的信息吧。現(xiàn)在介紹幾種基本針對(duì)SSH的防護(hù)���。
1�,對(duì)普通的SSH登錄進(jìn)行限制��;
2����,在loopback口上對(duì)特定源目地址的SSH進(jìn)行放行或是拒絕;
3����,改變SSH的默認(rèn)登錄端口。
Nov 11 23:05:01 TB-RD-FW-P newsyslog[44691]: logfile turned over due to size>100K
Nov 11 23:05:06 TB-RD-FW-P sshd[44685]: Received disconnect from 61.143.139.10: 11: Bye Bye [preauth]
Nov 11 23:05:07 TB-RD-FW-P sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '61.143.139.10'
Nov 11 23:05:07 TB-RD-FW-P sshd[44693]: Failed password for root from 61.143.139.10 port 35569 ssh3
Nov 11 23:05:12 TB-RD-FW-P sshd[44693]: Received disconnect from 61.143.139.10: 11: Bye Bye [preauth]
Nov 11 23:05:13 TB-RD-FW-P sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '61.143.139.10'
Nov 11 23:05:13 TB-RD-FW-P sshd[44696]: Failed password for root from 61.143.139.10 port 39821 ssh3
Nov 11 23:05:19 TB-RD-FW-P sshd[44696]: Received disconnect from 61.143.139.10: 11: Bye Bye [preauth]
Nov 11 23:05:20 TB-RD-FW-P sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '61.143.139.10'
Nov 11 23:05:20 TB-RD-FW-P sshd[44698]: Failed password for root from 61.143.139.10 port 44476 ssh3
專注于為中小企業(yè)提供成都做網(wǎng)站�、成都網(wǎng)站建設(shè)服務(wù),電腦端+手機(jī)端+微信端的三站合一,更高效的管理,為中小企業(yè)姑蘇免費(fèi)做網(wǎng)站提供優(yōu)質(zhì)的服務(wù)。我們立足成都�,凝聚了一批互聯(lián)網(wǎng)行業(yè)人才,有力地推動(dòng)了近千家企業(yè)的穩(wěn)健成長(zhǎng)���,幫助中小企業(yè)通過(guò)網(wǎng)站建設(shè)實(shí)現(xiàn)規(guī)模擴(kuò)充和轉(zhuǎn)變�。
先講講第一種���,簡(jiǎn)單有效��,基本配置如下:
set system services ssh root-login deny >>>>>>>>拒絕root用戶登錄
set system services ssh connection-limit 3 >>>>>>>>同時(shí)登錄的session 數(shù)為3
set system services ssh rate-limit 3 >>>>>>>>每分鐘嘗試次數(shù)為3
set system login retry-options minimum-time 30 >>>>>>>>登錄失敗等待時(shí)間
set system login retry-options maximum-time 100 >>>>>>>>登錄時(shí)設(shè)備的等待時(shí)間
set system login retry-options lockout-period 30 >>>>>>>>鎖定時(shí)間
Junos 的loopback 口有幾種功能�����,cisco一般是用來(lái)做動(dòng)態(tài)路由的router-id,在Juniper中還可以做為數(shù)據(jù)層和控制層的interface����,
當(dāng)我們?cè)趌oopback口上開(kāi)啟了protect的時(shí)候,可以很有效的防御NTP���,SSH等***�����。
基本配置如下:
set interfaces lo0 unit 0 family inet filter input RE-protection
set firewall family inet filter RE-protection term alw-ssh from source-address 172.16.255.0/24
set firewall family inet filter RE-protection term alw-ssh from source-address 10.200.255.0/24
set firewall family inet filter RE-protection term alw-ssh from protocol tcp
set firewall family inet filter RE-protection term alw-ssh from port ssh
set firewall family inet filter RE-protection term alw-ssh then accept
set firewall family inet filter RE-protection term deny-ssh from protocol tcp
set firewall family inet filter RE-protection term deny-ssh from port ssh
set firewall family inet filter RE-protection term deny-ssh then count ssh-deny
set firewall family inet filter RE-protection term deny-ssh then log
set firewall family inet filter RE-protection term deny-ssh then discard
set firewall family inet filter RE-protection term alw-ntp from source-address 10.200.254.0/24
set firewall family inet filter RE-protection term alw-ntp from protocol tcp
set firewall family inet filter RE-protection term alw-ntp from port ntp
set firewall family inet filter RE-protection term alw-ntp then accept
set firewall family inet filter RE-protection term deny-ntp from protocol tcp
set firewall family inet filter RE-protection term deny-ntp from port ntp
set firewall family inet filter RE-protection term deny-ntp then count deny-ntp
set firewall family inet filter RE-protection term deny-ntp then log
set firewall family inet filter RE-protection term deny-ntp then discard
set firewall family inet filter RE-protection term else-all then accept
效果如下
root# run show firewall log
Log :
Time Filter Action Interface Protocol Src Addr Dest Addr
10:18:14 pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100
10:18:11 pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100
10:18:08 pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100
10:18:02 pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100
10:17:59 pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100
第三種方式是將SSH的port 重定向�,在之前的NAT實(shí)用小技巧中有提到過(guò)的:
從這部分配置可以看出���,lo0.0 是放行了ssh 的host-inbound-traffic����,ge-0/0/0.0默認(rèn)都拒絕�;
set interfaces lo0 unit 0 family inet address 10.220.1.254/32
set security zones security-zone trust address-book address lo-ssh 10.220.1.254/32
set security zones security-zone trust interfaces lo0.0 host-inbound-traffic system-services ssh
set interfaces ge-0/0/0 unit 0 family inet address 10.101.5.100/24
set security zones security-zone untrust interfaces ge-0/0/0.0
現(xiàn)在就是基本的nat 配置了:
set security nat destination pool lo-ssh address 10.220.1.254/32
set security nat destination pool lo-ssh address port 22
set security nat destination rule-set 001 from zone untrust
還有種方法是使用dynamic *** 的方式通過(guò)IPSec的方式實(shí)現(xiàn)登錄。
文章題目:JuniperSSH防護(hù)
轉(zhuǎn)載注明:
http://weahome.cn/article/ieeopj.html
重慶分公司
重慶分公司
