中文字幕av专区_日韩电影在线播放_精品国产精品久久一区免费式_av在线免费观看网站

溫馨提示×

溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊×
其他方式登錄
點擊 登錄注冊 即表示同意《億速云用戶服務條款》

Juniper SSH防護

發布時間:2020-05-23 18:13:18 來源:網絡 閱讀:1979 作者:Bcheng7 欄目:安全技術

很多客戶的防火墻都有被Hack 過的經歷吧,特別是Netscreen的設備,初始登錄信息都是netscreen/netscreen.
在SRX上默認的登錄用戶是root,同樣會有很多人對設備進行SSH的嗅探,如果你設置了syslog,在cli里面
show log message 的時候很容易看到下面的信息吧。現在介紹幾種基本針對SSH的防護。
1,對普通的SSH登錄進行限制;
2,在loopback口上對特定源目地址的SSH進行放行或是拒絕;
3,改變SSH的默認登錄端口。
Nov 11 23:05:01 TB-RD-FW-P newsyslog[44691]: logfile turned over due to size>100K
Nov 11 23:05:06 TB-RD-FW-P sshd[44685]: Received disconnect from 61.143.139.10: 11: Bye Bye [preauth]
Nov 11 23:05:07 TB-RD-FW-P sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '61.143.139.10'
Nov 11 23:05:07 TB-RD-FW-P sshd[44693]: Failed password for root from 61.143.139.10 port 35569 ssh3
Nov 11 23:05:12 TB-RD-FW-P sshd[44693]: Received disconnect from 61.143.139.10: 11: Bye Bye [preauth]
Nov 11 23:05:13 TB-RD-FW-P sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '61.143.139.10'
Nov 11 23:05:13 TB-RD-FW-P sshd[44696]: Failed password for root from 61.143.139.10 port 39821 ssh3
Nov 11 23:05:19 TB-RD-FW-P sshd[44696]: Received disconnect from 61.143.139.10: 11: Bye Bye [preauth]
Nov 11 23:05:20 TB-RD-FW-P sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '61.143.139.10'
Nov 11 23:05:20 TB-RD-FW-P sshd[44698]: Failed password for root from 61.143.139.10 port 44476 ssh3

先講講第一種,簡單有效,基本配置如下:
set system services ssh root-login deny >>>>>>>>拒絕root用戶登錄
set system services ssh connection-limit 3 >>>>>>>>同時登錄的session 數為3
set system services ssh rate-limit 3 >>>>>>>>每分鐘嘗試次數為3
set system login retry-options minimum-time 30 >>>>>>>>登錄失敗等待時間
set system login retry-options maximum-time 100 >>>>>>>>登錄時設備的等待時間
set system login retry-options lockout-period 30 >>>>>>>>鎖定時間

Junos 的loopback 口有幾種功能,cisco一般是用來做動態路由的router-id,在Juniper中還可以做為數據層和控制層的interface,
當我們在loopback口上開啟了protect的時候,可以很有效的防御NTP,SSH等***。
基本配置如下:
set interfaces lo0 unit 0 family inet filter input RE-protection
set firewall family inet filter RE-protection term alw-ssh from source-address 172.16.255.0/24
set firewall family inet filter RE-protection term alw-ssh from source-address 10.200.255.0/24
set firewall family inet filter RE-protection term alw-ssh from protocol tcp
set firewall family inet filter RE-protection term alw-ssh from port ssh
set firewall family inet filter RE-protection term alw-ssh then accept
set firewall family inet filter RE-protection term deny-ssh from protocol tcp
set firewall family inet filter RE-protection term deny-ssh from port ssh
set firewall family inet filter RE-protection term deny-ssh then count ssh-deny
set firewall family inet filter RE-protection term deny-ssh then log
set firewall family inet filter RE-protection term deny-ssh then discard
set firewall family inet filter RE-protection term alw-ntp from source-address 10.200.254.0/24
set firewall family inet filter RE-protection term alw-ntp from protocol tcp
set firewall family inet filter RE-protection term alw-ntp from port ntp
set firewall family inet filter RE-protection term alw-ntp then accept
set firewall family inet filter RE-protection term deny-ntp from protocol tcp
set firewall family inet filter RE-protection term deny-ntp from port ntp
set firewall family inet filter RE-protection term deny-ntp then count deny-ntp
set firewall family inet filter RE-protection term deny-ntp then log
set firewall family inet filter RE-protection term deny-ntp then discard
set firewall family inet filter RE-protection term else-all then accept

效果如下
root# run show firewall log
Log :
Time Filter Action Interface Protocol Src Addr Dest Addr
10:18:14 pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100
10:18:11 pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100
10:18:08 pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100
10:18:02 pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100
10:17:59 pfe D ge-0/0/0.0 TCP 10.101.5.108 10.101.5.100

第三種方式是將SSH的port 重定向,在之前的NAT實用小技巧中有提到過的:
從這部分配置可以看出,lo0.0 是放行了ssh 的host-inbound-traffic,ge-0/0/0.0默認都拒絕;
set interfaces lo0 unit 0 family inet address 10.220.1.254/32
set security zones security-zone trust address-book address lo-ssh 10.220.1.254/32
set security zones security-zone trust interfaces lo0.0 host-inbound-traffic system-services ssh
set interfaces ge-0/0/0 unit 0 family inet address 10.101.5.100/24
set security zones security-zone untrust interfaces ge-0/0/0.0
現在就是基本的nat 配置了:
set security nat destination pool lo-ssh address 10.220.1.254/32
set security nat destination pool lo-ssh address port 22
set security nat destination rule-set 001 from zone untrust

還有種方法是使用dynamic *** 的方式通過IPSec的方式實現登錄。

向AI問一下細節

免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。

AI

乌拉特中旗| 大名县| 诸城市| 霞浦县| 西乌珠穆沁旗| 沁源县| 彰化县| 游戏| 昭平县| 建昌县| 紫阳县| 阿城市| 恩平市| 托克托县| 凤山县| 福海县| 泰安市| 兴宁市| 定西市| 宁安市| 阜阳市| 宣汉县| 正安县| 江北区| 崇仁县| 桑植县| 广饶县| 浦城县| 奉贤区| 玉树县| 湘乡市| 湖北省| 巴林左旗| 宁蒗| 渑池县| 丽水市| 华阴市| 遂溪县| 兰坪| 武宣县| 肥乡县|