Pages

Wednesday, April 22, 2015

Juniper block Telnet and SSH Brute Force log-in attacks


Juniper block Telnet and SSH Brute Force log-in attacks
========================================

set system login retry-options tries-before-disconnect 5
set system login retry-options backoff-threshold 3
set system login retry-options backoff-factor 10
set system login retry-options lockout-period 6


==========================
See the lockout users

show system login lockout

============================

backoff-threshold: Sets the threshold for the number of failed log-in attempts on the device before the user experiences a delay when attempting to re-enter a password. When a user incorrectly logs into the device and hits the threshold of failed log-in attempts, the user experiences a delay (set in the backoff-factor statement) before he can attempt to log into the device again. The valid range for this option is 1 to 3 attempts.

backoff-factor: Sets the length of the delay, in seconds, after each failed log-in attempt. When a user incorrectly logs into the device, the user must wait the configured amount of time before he can attempt to log into the device again. The length of the delay increases by the backoff-factor value for each subsequent log-in attempted after the value specified in the backoff-threshold statement is reached. The valid range for this option is 5 to 10 seconds.

tries-before-disconnect: Sets the maximum number of times the user is allowed to enter a password in an attempt to log into the device through SSH or Telnet. When the user reaches the maximum number of failed log-in attempts, he is locked out of the device. The user must wait the configured amount of minutes in the lockout-period statement before he can attempt to log back into the device. The tries-before-disconnect statement must be set when the lockout-period statement is set; otherwise, the lockout-period statement is meaningless. The valid value for this option is 1 to 10 attempts.

lockout-period: Sets the amount of time, in minutes, that the user must wait before he can attempt to log into the device after being locked out due to the number of failed log-in attempts specified in the tries-before-disconnect statement. The lockout-period must be greater than zero. The valid range for this option range is 1 to 43,200 minutes.

---------------------------------------------------------------------------------------------------------
We also can restrict / allow  ssh from a single ip address and deny all
---------------------------------------------------------------------------------------------------------
Here We restrict /deny all and allow only IP xxx.xxx.10.174/32 to ssh my juniper router
-----------------------------------------------------------------------------------------------------------
set interfaces lo0 unit 0 family inet filter input my-ip
set firewall family inet filter my-ip term 1 from source-address xxx.xxx.10.174/32
set firewall family inet filter my-ip term 1 from destination-port ssh
set firewall family inet filter my-ip term 1 then accept
set firewall family inet filter my-ip term 2 from source-address 0.0.0.0/0
set firewall family inet filter my-ip term 2 from destination-port ssh
set firewall family inet filter my-ip term 2 then discard
set firewall family inet filter my-ip term 3 then accept

------------------------------------------------------------------------------------------


No comments:

Post a Comment