Hello Everyone,
We have seven Juniper EX-3300s set up in a virtual chassis at my workplace. All switches are running JunOS 15.1R6.7.
Recently we have noticed a slew of failed SSH attempts even though we have some rules in place to prevent this, namely denying root-login of the ssh service, as well as creating a firewall filter that is applied to the lo0 interface:
services {
ssh {
root-login deny;
protocol-version v2;
client-alive-count-max 3;
client-alive-interval 120;
----
filter admin-access {
term 1 {
from {
source-prefix-list {
admin-access;
}
destination-prefix-list {
localhost;
}
protocol tcp;
destination-port ssh;
}
then accept;
}
term block_others {
from {
protocol tcp;
destination-port ssh;
}
then {
discard;
----
lo0 {
unit 0 {
family inet {
filter {
input admin-access;
}
address [redacted] {
primary;
preferred;
}
address 127.0.0.1/32;
}
family inet6 {
address [redacted];
----
Error log:
Feb 9 23:40:26 isp-vc.lax01 sshd: rad_send_request: No valid RADIUS responses received
Feb 9 23:40:26 isp-vc.lax01 sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '119.45.184.216'
Feb 9 23:40:26 isp-vc.lax01 sshd[27055]: Failed password for root from 119.45.184.216 port 49540 ssh2
Feb 9 23:40:26 isp-vc.lax01 sshd[27055]: Received disconnect from 119.45.184.216: 11: Bye Bye [preauth]
Feb 9 23:40:26 isp-vc.lax01 sshd[27055]: Disconnected from 119.45.184.216 [preauth]
Feb 9 23:42:58 isp-vc.lax01 sshd: rad_send_request: No valid RADIUS responses received
Feb 9 23:42:58 isp-vc.lax01 sshd: SSHD_LOGIN_FAILED: Login failed for user 'health' from host '49.235.107.161'
Feb 9 23:42:58 isp-vc.lax01 sshd[27065]: Failed password for health from 49.235.107.161 port 45112 ssh2
Feb 9 23:42:58 isp-vc.lax01 sshd[27065]: Received disconnect from 49.235.107.161: 11: Bye Bye [preauth]
Feb 9 23:42:58 isp-vc.lax01 sshd[27065]: Disconnected from 49.235.107.161 [preauth]
Feb 9 23:45:22 isp-vc.lax01 sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '51.15.118.15'
Feb 9 23:45:23 isp-vc.lax01 sshd[27079]: Failed password for root from 51.15.118.15 port 59164 ssh2
Feb 9 23:45:23 isp-vc.lax01 sshd[27079]: Received disconnect from 51.15.118.15: 11: Bye Bye [preauth]
Feb 9 23:45:23 isp-vc.lax01 sshd[27079]: Disconnected from 51.15.118.15 [preauth]
----
Even with these rules up, we are still seeing SSH attempts come through--even as the user root! I've spent nearly the entire day trying to figure out how these attempts are still getting through. Anybody have any input regarding this issue?
No comments:
Post a Comment