很多客戶的防火牆都有被Hack 過的經歷吧,特別是Netscreen的設備,初始登錄信息都是netscreen/netscreen.
在SRX上默認的登錄用戶是root,同樣會有很多人對設備進行SSH的嗅探,如果你設置了syslog,在cli裏面
show log message 的時候很容易看到下面的信息吧。現在介紹幾種基本針對SSH的防護。
1,對普通的SSH登錄進行限制;
2,在loopback口上對特定源目地址的SSH進行放行或是拒絕;
3,改變SSH的默認登錄端口。
Nov 11 23:05:01 TB-RD-FW-P newsyslog[44691]: logfile turned over due to size>100K
Nov 11 23:05:06 TB-RD-FW-P sshd[44685]: Received disconnect from 61.143.139.10: 11: Bye Bye [preauth]
Nov 11 23:05:07 TB-RD-FW-P sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '61.143.139.10'
Nov 11 23:05:07 TB-RD-FW-P sshd[44693]: Failed password for root from 61.143.139.10 port 35569 ssh2
Nov 11 23:05:12 TB-RD-FW-P sshd[44693]: Received disconnect from 61.143.139.10: 11: Bye Bye [preauth]
Nov 11 23:05:13 TB-RD-FW-P sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '61.143.139.10'
Nov 11 23:05:13 TB-RD-FW-P sshd[44696]: Failed password for root from 61.143.139.10 port 39821 ssh2
Nov 11 23:05:19 TB-RD-FW-P sshd[44696]: Received disconnect from 61.143.139.10: 11: Bye Bye [preauth]
Nov 11 23:05:20 TB-RD-FW-P sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '61.143.139.10'
Nov 11 23:05:20 TB-RD-FW-P sshd[44698]: Failed password for root from 61.143.139.10 port 44476 ssh2
先講講第一種,簡單有效,基本配置如下:
set system services ssh root-login deny >>>>>>>>拒絕root用戶登錄
set system services ssh connection-limit 3 >>>>>>>>同時登錄的session 數爲3
set system services ssh rate-limit 3 >>>>>>>>每分鐘嘗試次數爲3
set system login retry-options minimum-time 30 >>>>>>>>登錄失敗等待時間
set system login retry-options maximum-time 100 >>>>>>>>登錄時設備的等待時間
set system login retry-options lockout-period 30 >>>>>>>>鎖定時間
Junos 的loopback 口有幾種功能,cisco一般是用來做動態路由的router-id,在Juniper中還可以做爲數據層和控制層的interface,
當我們在loopback口上開啓了protect的時候,可以很有效的防禦NTP,SSH等***。
基本配置如下:
set interfaces lo0 unit 0 family inet filter input RE-protection
set firewall family inet filter RE-protection term alw-ssh from source-address 172.16.255.0/24
set firewall family inet filter RE-protection term alw-ssh from source-address 10.200.255.0/24
set firewall family inet filter RE-protection term alw-ssh from protocol tcp
set firewall family inet filter RE-protection term alw-ssh from port ssh
set firewall family inet filter RE-protection term alw-ssh then accept
set firewall family inet filter RE-protection term deny-ssh from protocol tcp
set firewall family inet filter RE-protection term deny-ssh from port ssh
set firewall family inet filter RE-protection term deny-ssh then count ssh-deny
set firewall family inet filter RE-protection term deny-ssh then log
set firewall family inet filter RE-protection term deny-ssh then discard
set firewall family inet filter RE-protection term alw-ntp from source-address 10.200.254.0/24
set firewall family inet filter RE-protection term alw-ntp from protocol tcp
set firewall family inet filter RE-protection term alw-ntp from port ntp
set firewall family inet filter RE-protection term alw-ntp then accept
set firewall family inet filter RE-protection term deny-ntp from protocol tcp
set firewall family inet filter RE-protection term deny-ntp from port ntp
set firewall family inet filter RE-protection term deny-ntp then count deny-ntp
set firewall family inet filter RE-protection term deny-ntp then log
set firewall family inet filter RE-protection term deny-ntp then discard
set firewall family inet filter RE-protection term else-all then accept
效果如下
root# run show firewall log
Log :
Time Filter Action Interface Protocol Src Addr Dest Addr
10:18:14 pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100
10:18:11 pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100
10:18:08 pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100
10:18:02 pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100
10:17:59 pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100
第三種方式是將SSH的port 重定向,在之前的NAT實用小技巧中有提到過的:
從這部分配置可以看出,lo0.0 是放行了ssh 的host-inbound-traffic,ge-0/0/0.0默認都拒絕;
set interfaces lo0 unit 0 family inet address 10.220.1.254/32
set security zones security-zone trust address-book address lo-ssh 10.220.1.254/32
set security zones security-zone trust interfaces lo0.0 host-inbound-traffic system-services ssh
set interfaces ge-0/0/0 unit 0 family inet address 10.101.5.100/24
set security zones security-zone untrust interfaces ge-0/0/0.0
現在就是基本的nat 配置了:
set security nat destination pool lo-ssh address 10.220.1.254/32
set security nat destination pool lo-ssh address port 22
set security nat destination rule-set 001 from zone untrust
還有種方法是使用dynamic *** 的方式通過IPSec的方式實現登錄。