很多客户的防火墙都有被Hack 过的经历吧,特别是Netscreen的设备,初始登录信息都是netscreen/netscreen.
在SRX上默认的登录用户是root,同样会有很多人对设备进行SSH的嗅探,如果你设置了syslog,在cli里面
show log message 的时候很容易看到下面的信息吧。现在介绍几种基本针对SSH的防护。
1,对普通的SSH登录进行限制;
2,在loopback口上对特定源目地址的SSH进行放行或是拒绝;
3,改变SSH的默认登录端口。
Nov 11 23:05:01 TB-RD-FW-P newsyslog[44691]: logfile turned over due to size>100K
Nov 11 23:05:06 TB-RD-FW-P sshd[44685]: Received disconnect from 61.143.139.10: 11: Bye Bye [preauth]
Nov 11 23:05:07 TB-RD-FW-P sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '61.143.139.10'
Nov 11 23:05:07 TB-RD-FW-P sshd[44693]: Failed password for root from 61.143.139.10 port 35569 ssh2
Nov 11 23:05:12 TB-RD-FW-P sshd[44693]: Received disconnect from 61.143.139.10: 11: Bye Bye [preauth]
Nov 11 23:05:13 TB-RD-FW-P sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '61.143.139.10'
Nov 11 23:05:13 TB-RD-FW-P sshd[44696]: Failed password for root from 61.143.139.10 port 39821 ssh2
Nov 11 23:05:19 TB-RD-FW-P sshd[44696]: Received disconnect from 61.143.139.10: 11: Bye Bye [preauth]
Nov 11 23:05:20 TB-RD-FW-P sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '61.143.139.10'
Nov 11 23:05:20 TB-RD-FW-P sshd[44698]: Failed password for root from 61.143.139.10 port 44476 ssh2

先讲讲第一种,简单有效,基本配置如下:
set system services ssh root-login deny >>>>>>>>拒绝root用户登录
set system services ssh connection-limit 3 >>>>>>>>同时登录的session 数为3
set system services ssh rate-limit 3 >>>>>>>>每分钟尝试次数为3
set system login retry-options minimum-time 30 >>>>>>>>登录失败等待时间
set system login retry-options maximum-time 100 >>>>>>>>登录时设备的等待时间
set system login retry-options lockout-period 30 >>>>>>>>锁定时间

Junos 的loopback 口有几种功能,cisco一般是用来做动态路由的router-id,在Juniper中还可以做为数据层和控制层的interface,
当我们在loopback口上开启了protect的时候,可以很有效的防御NTP,SSH等攻击。
基本配置如下:
set interfaces lo0 unit 0 family inet filter input RE-protection
set firewall family inet filter RE-protection term alw-ssh from source-address 172.16.255.0/24
set firewall family inet filter RE-protection term alw-ssh from source-address 10.200.255.0/24
set firewall family inet filter RE-protection term alw-ssh from protocol tcp
set firewall family inet filter RE-protection term alw-ssh from port ssh
set firewall family inet filter RE-protection term alw-ssh then accept
set firewall family inet filter RE-protection term deny-ssh from protocol tcp
set firewall family inet filter RE-protection term deny-ssh from port ssh
set firewall family inet filter RE-protection term deny-ssh then count ssh-deny
set firewall family inet filter RE-protection term deny-ssh then log
set firewall family inet filter RE-protection term deny-ssh then discard
set firewall family inet filter RE-protection term alw-ntp from source-address 10.200.254.0/24
set firewall family inet filter RE-protection term alw-ntp from protocol tcp
set firewall family inet filter RE-protection term alw-ntp from port ntp
set firewall family inet filter RE-protection term alw-ntp then accept
set firewall family inet filter RE-protection term deny-ntp from protocol tcp
set firewall family inet filter RE-protection term deny-ntp from port ntp
set firewall family inet filter RE-protection term deny-ntp then count deny-ntp
set firewall family inet filter RE-protection term deny-ntp then log
set firewall family inet filter RE-protection term deny-ntp then discard
set firewall family inet filter RE-protection term else-all then accept

效果如下
root# run show firewall log
Log :
Time Filter Action Interface Protocol Src Addr Dest Addr
10:18:14 pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100
10:18:11 pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100
10:18:08 pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100
10:18:02 pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100
10:17:59 pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100

第三种方式是将SSH的port 重定向,在之前的NAT实用小技巧中有提到过的:
从这部分配置可以看出,lo0.0 是放行了ssh 的host-inbound-traffic,ge-0/0/0.0默认都拒绝;
set interfaces lo0 unit 0 family inet address 10.220.1.254/32
set security zones security-zone trust address-book address lo-ssh 10.220.1.254/32
set security zones security-zone trust interfaces lo0.0 host-inbound-traffic system-services ssh
set interfaces ge-0/0/0 unit 0 family inet address 10.101.5.100/24
set security zones security-zone untrust interfaces ge-0/0/0.0
现在就是基本的nat 配置了:
set security nat destination pool lo-ssh address 10.220.1.254/32
set security nat destination pool lo-ssh address port 22
set security nat destination rule-set 001 from zone untrust

还有种方法是使用dynamic vpn 的方式通过IPSec的方式实现登录。