Re: Netscreen 5XT SSH Traffic

From: Jonathan Nichols (jnichols_at_pbp.net)
Date: 03/18/05

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: Pubstro rash" 
    Date: Fri, 18 Mar 2005 09:33:07 -0800
To: Ben Blakely <blakely@krellinst.org>

    Ben Blakely wrote:
    > Hello List,
    >
    > I'm the admin for a small network that uses a NetScreen 5XT firewall as
    > the border access control device. Just like everyone else, we get a
    > pretty constant stream of SSH login attempts to our full range of IPs.
    > This doesn't concern us too much as our root logins are disabled and we
    > enforce strong passwords. However, several days ago we started seeing
    > SSH (v2, port 22) login attempts to machines that the firewall should
    > not be allowing SSH traffic to in the first place. Unfortunately this
    > happened overnight and our log vault machine was experiencing unrelated
    > problems. Due to this I wasn't able to capture any of the traffic for
    > closer dissection. The only conclusion we were able to reach here was
    > that perhaps there is a state table poisoning bug in the NetScreen code
    > that tricked the firewall into thinking the traffic had originated as
    > egress. Is this a reasonable conclusion? To be honest that seems like
    > a bit of a reach, does anyone else have any experience with similar
    > incidents or any possible explanations? I'll happy to clarify anything
    > I can with the data I have, thanks for your time everyone.
    >
    > /ben Blakely

    Have you contacted Netscreen/Juniper TAC about this? There are ways to
    capture packets on the 5XT itself for analysis. Do you have another host
    that you can use to test this from the outside? If it's an internal box
    that shouldn't be allowed SSH access, you oughta be able to test that
    from a machine outside the network.

    I'd definitely contact the TAC about this, and have them review the
    firewall rules as well. It's possible that there's a rule that's
    overriding your deny SSH rule.

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: Pubstro rash"

    Relevant Pages

    • RE: Netscreen 5XT SSH Traffic
      ... flaw in the firewall software. ... Subject: Netscreen 5XT SSH Traffic ... > I'm the admin for a small network that uses a NetScreen 5XT firewall ... Have you contacted Netscreen/Juniper TAC about this? ...
      (Incidents)
    • Re: [fw-wiz] Is NAT in OpenBSD PF UPnP enabled or Non UPnP?
      ... >> I start by not giving logins and SSH access to users I don't trust. ... a network topology which goes around the ... >> firewall and thus is a serious hole to network security. ... >> have access via UPnP to, well, anything that device might happen to ...
      (Firewall-Wizards)
    • Re: ssh attempts
      ... the excellent iptables firewall you probably already have on your system. ... consider changing the port SSH listens on. ... Login to account webmaster not allowed or account non-existent. ... Computer Emergency Response Teams, and Digital Investigations. ...
      (Security-Basics)
    • Re: mpich and iptables firewall?
      ... to me it seems a very weird setup to have a firewall running ... on the cluster nodes. ... Using SGE you could disable rsh and ssh completely ... Chain FORWARD ...
      (comp.parallel.mpi)
    • Re: Problems with ipfw and ssh
      ... I get this error when updating my firewall rules via ssh. ... ${addcmd} 50 allow all from any to any via lo0 ... debug1: PAM: cleanup ...
      (freebsd-questions)