Juniper SRX – BAD_DUDES

Whilst completing my studies for the JNCIA-Junos exam I was trying various configuration on my SRX110 and decided to expose it to the internet as my LAN ‘DMZ host’, after a little while I noticed the log filling up with messages like these:

Feb 14 11:24:24 2018  CS7-SRX01 sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '59.63.188.32'
Feb 14 11:24:24 2018  CS7-SRX01 sshd[93308]: Failed password for root from 59.63.188.32 port 16420 ssh2
Feb 14 11:24:34 2018  CS7-SRX01 sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '59.63.188.32'
Feb 14 11:24:34 2018  CS7-SRX01 sshd[93310]: Failed password for root from 59.63.188.32 port 32392 ssh2
Feb 14 11:24:35 2018  CS7-SRX01 sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '59.63.188.32'
Feb 14 11:24:35 2018  CS7-SRX01 sshd[93310]: Failed password for root from 59.63.188.32 port 32392 ssh2

So I came up with the following firewall filter and prefix list:

firewall {
    filter SSH_FILTER {
        term BAD_DUDES {
            from {
                prefix-list {
                    BAD_DUDES;
                }
                protocol tcp;
                destination-port 22;
            }
            then {
                count SSH_DROP_COUNTER-BAD_DUDES;
                discard;
            }
        }
        term ALL_OTHER_SSH_SOURCES {
            from {
                address {
                    0.0.0.0/0;
                }
                protocol tcp;
                destination-port ssh;
            }
            then accept;
        }
        term ALLOW_ALL {
            then accept;
        }
    }
}
policy-options {
    prefix-list BAD_DUDES {
        37.187.33.146/32;
        42.7.26.15/32;
        42.7.26.85/32;
        46.210.182.183/32;
        46.243.189.99/32;
        49.147.134.239/32;
    }
}

The internet being what it is, these login attempts are numerous and come from all corners.
So I present to you bad_dudes.py , a script for scraping, storing attack source information and subsequently blocking by IP.

The logic of the scripts starts once logged onto the router, it runs the command “show log messages” and uses a great junos feature; the match command with full regex compliance. So we match each line against a long regex string to extract the necessary details about the bad dude trying to logon: timestamp, account and IP address.
This information is then inserted into a local sqllite database. To reduce DB size foreign keys for IP address and account name are used as I expect a great deal of duplication of data, eg ~90% of the time the ‘root’ account is used for attempted logons.

Once the matching log messages have been inserted, the DB is searched for two attributes:

  • has an IP failed to logon with three different accounts
  • has an IP failed to login three times with the same account

Using these result a block_list is assembled and this is then appended to the prefix_list BAD_DUDES running on the SRX. “commit and-quit” , done!

Future improvements?

  • A Cisco IOS/ ASA-OS version
  • A WHOIS lookup to notice when IPs belong in the same subnet. Block the entire subnet if it contains X number of know bad IPs
  • A whitelist, to guard against fat finger incidents

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: