Jump to content

JunOS firewall фильтрует не все соединения на 22/TCP

smart85
 Share

Recommended Posts

smart85

smart85

Posted
Posted

Коллеги, доброго времени суток.

На маршрутизаторе настроен файрвол:

#show configuration firewall filter accept-ssh
term accept-ssh {
   from {
       source-prefix-list {
           trusted;
       }
       destination-prefix-list {
           LOCALS-v4;
       }
       protocol tcp;
       destination-port ssh;
   }
   then {
       policer management-5m;
       count accept-ssh;
       accept;
   }
}

#show configuration firewall filter discard-to-locals-v4
term accept-established {
   from {
       destination-prefix-list {
           LOCALS-v4;
       }
       protocol tcp;
       tcp-established;
   }
   then {
       count accept-established;
       accept;
   }
}
term discard-ip-options {
   from {
       destination-prefix-list {
           LOCALS-v4;
       }
       ip-options any;
   }
   then {
       count discard-ip-options;
       log;
       discard;
   }
}
term discard-TTL_1-unknown {
   from {
       destination-prefix-list {
           LOCALS-v4;
       }
       ttl 1;
   }
   then {
       count discard-TTL_1-unknown;
       log;
       discard;
   }
}
term discard-tcp {
   from {
       destination-prefix-list {
           LOCALS-v4;
       }
       protocol tcp;
   }
   then {
       count discard-tcp;
       log;
       discard;
   }
}
term discard-udp {
   from {
       destination-prefix-list {
           LOCALS-v4;
       }
       protocol udp;
   }
   then {
       count discard-udp;
       log;
       discard;
   }
}
term discard-icmp {
   from {
       destination-prefix-list {
           LOCALS-v4;
       }
       protocol icmp;
   }
   then {
       count discard-icmp;
       log;
       discard;
   }
}
term discard-unknown {
   from {
       destination-prefix-list {
           LOCALS-v4;
       }
   }
   then {
       count discard-unknown;
       log;
       discard;
   }
}

 

и прикручен к интерфейсу:

show configuration interfaces xe-1/0/0
description "YYYYYY uplink";
unit 0 {
   family inet {
       filter {
           input-list [ accept-ssh discard-to-locals-v4 ];
       }
       sampling {
           input;
       }
       address XX.XXX.XXX.XX/30;
   }
}

 

С удаленного хоста, не находящегося в prefix-list trusted коннекта на XX.XXX.XXX.XX порт 22/TCP - нет. Если убрать input-list [ accept-ssh discard-to-locals-v4 ] - есть.

И вот, что я наблюдаю в monitor traffic interface xe-1/0/0.0 :

15:04:55.925715  In IP 104.209.190.5.2161 > XX.XXX.XXX.XX.ssh: tcp 0
15:04:55.925787 Out IP truncated-ip - 4 bytes missing! XX.XXX.XXX.XX.ssh > 104.209.190.5.2161: tcp 0
15:04:56.055632  In IP 104.209.190.5.2161 > XX.XXX.XXX.XX.ssh: tcp 0
15:04:56.055657  In IP 104.209.190.5.2161 > XX.XXX.XXX.XX.ssh: tcp 23
15:04:56.105214 Out IP truncated-ip - 13 bytes missing! XX.XXX.XXX.XX.ssh > 104.209.190.5.2161: tcp 21
15:04:56.124942 Out IP truncated-ip - 1420 bytes missing! XX.XXX.XXX.XX.ssh > 104.209.190.5.2161: tcp 1428
15:04:56.239837  In IP 104.209.190.5.2161 > XX.XXX.XXX.XX.ssh: tcp 0
15:04:56.239861  In IP 104.209.190.5.2161 > XX.XXX.XXX.XX.ssh: tcp 648
15:04:56.297412  In IP 104.209.190.5.2161 > XX.XXX.XXX.XX.ssh: tcp 0
15:04:56.297468 Out IP truncated-ip - 108 bytes missing! XX.XXX.XXX.XX.ssh > 104.209.190.5.2161: tcp 116
15:04:56.425047  In IP 104.209.190.5.2161 > XX.XXX.XXX.XX.ssh: tcp 0
15:04:56.437239  In IP 104.209.190.5.2161 > XX.XXX.XXX.XX.ssh: tcp 272
15:04:56.530547 Out IP truncated-ip - 840 bytes missing! XX.XXX.XXX.XX.ssh > 104.209.190.5.2161: tcp 848
15:04:56.673915  In IP 104.209.190.5.2161 > XX.XXX.XXX.XX.ssh: tcp 16
15:04:56.773744 Out IP XX.XXX.XXX.XX.ssh > 104.209.190.5.2161: tcp 0
15:04:56.901484  In IP 104.209.190.5.2161 > XX.XXX.XXX.XX.ssh: tcp 52
15:04:56.902119 Out IP truncated-ip - 44 bytes missing! XX.XXX.XXX.XX.ssh > 104.209.190.5.2161: tcp 52
15:04:57.029822  In IP 104.209.190.5.2161 > XX.XXX.XXX.XX.ssh: tcp 84
15:04:57.056223 Out IP truncated-ip - 76 bytes missing! XX.XXX.XXX.XX.ssh > 104.209.190.5.2161: tcp 84
15:04:57.184046  In IP 104.209.190.5.2161 > XX.XXX.XXX.XX.ssh: tcp 84
15:04:57.283744 Out IP XX.XXX.XXX.XX.ssh > 104.209.190.5.2161: tcp 0

В логе:

Apr 21 15:04:33  inetd[1370]: /usr/sbin/sshd[81697]: exited, status 255
Apr 21 15:04:41  sshd: SSHD_LOGIN_FAILED: Login failed for user 'veroxcode' from host '104.209.190.5'
Apr 21 15:04:41  sshd[81699]: Failed password for veroxcode from 104.209.190.5 port 2162 ssh2
Apr 21 15:04:41  sshd: SSHD_LOGIN_FAILED: Login failed for user 'veroxcode' from host '104.209.190.5'
Apr 21 15:04:41  sshd[81699]: Failed password for veroxcode from 104.209.190.5 port 2162 ssh2
Apr 21 15:04:46  sshd[81699]: Connection closed by 104.209.190.5 [preauth]
Apr 21 15:04:46  inetd[1370]: /usr/sbin/sshd[81699]: exited, status 255
Apr 21 15:04:49  sshd[81701]: Failed password for veroxcode from 104.209.190.5 port 2160 ssh2
Apr 21 15:04:49  sshd: SSHD_LOGIN_FAILED: Login failed for user 'veroxcode' from host '104.209.190.5'
Apr 21 15:04:49  sshd[81701]: Connection closed by 104.209.190.5 [preauth]
Apr 21 15:04:49  inetd[1370]: /usr/sbin/sshd[81701]: exited, status 255
Apr 21 15:04:57  sshd: SSHD_LOGIN_FAILED: Login failed for user 'vyatta' from host '104.209.190.5'
Apr 21 15:04:57  sshd[81705]: Failed password for vyatta from 104.209.190.5 port 2161 ssh2
Apr 21 15:04:57  sshd: SSHD_LOGIN_FAILED: Login failed for user 'vyatta' from host '104.209.190.5'
Apr 21 15:04:57  sshd[81705]: Failed password for vyatta from 104.209.190.5 port 2161 ssh2

 

Как, почему и как это прекратить?

Пока сделал:

inactive: term accept-established {
   from {
       destination-prefix-list {
           LOCALS-v4;
       }
       protocol tcp;
       tcp-established;
   }
   then {
       count accept-established;
       accept;
   }
}

так, как есть подозрение, что через этот term попадают данные пакеты. Но скан уже кончился, не ясно, изменилась ситуация или нет.

 

Спасибо за внимание.

smart85

smart85

Posted
  • Author
Posted (edited)

Не совсем понятно, куда коннектишься. Если к самому джуне - примени фильтр на loopback интерфейс (lo0)

Коннекчусь к одному из внешних адресов маршрутизатора.

 

А если loopback несконфинурирован? 

user@J> show interfaces lo0
Physical interface: lo0, Enabled, Physical link is Up
 Interface index: 6, SNMP ifIndex: 6
 Type: Loopback, MTU: Unlimited
 Device flags   : Present Running Loopback
 Interface flags: SNMP-Traps
 Link flags     : None
 Last flapped   : Never
   Input packets : 40640
   Output packets: 40640

 Logical interface lo0.16384 (Index 320) (SNMP ifIndex 21)
   Flags: SNMP-Traps Encapsulation: Unspecified
   Input packets : 6714
   Output packets: 6714
   Protocol inet, MTU: Unlimited
     Addresses
       Local: 127.0.0.1

 Logical interface lo0.16385 (Index 321) (SNMP ifIndex 22)
   Flags: SNMP-Traps Encapsulation: Unspecified
   Input packets : 33628
   Output packets: 33628
   Protocol inet, MTU: Unlimited

user@J> show configuration interfaces lo0

user@J>

Edited by mse.rus77

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...
На сайте используются файлы cookie и сервисы аналитики для корректной работы форума и улучшения качества обслуживания. Продолжая использовать сайт, вы соглашаетесь с использованием файлов cookie и с Политикой конфиденциальности.