Re: [j-nsp] how to disconnect/kill tcp session from juniper router

Thu, 24 Nov 2016 03:08:40 -0800 

Hello,
Someone is brute-forcing Your router password, and that is very common nowadays. Good loopback filter would prevent this. 

In addition:


1/ You can only do "request system logout" for sessions that passed 
authentication+login+got TTY assigned. If You see "unsuccessful login" 
it means this session did not get past authentication. Unautheticated 
sessions got disconnected after 3 wrong password attempts, or 120 secs 
if there is no data flowing (from memory)



2/ Best practice is not to allow telnet at all. Use SSH instead. To 
disable telnet, make sure You do NOT have the "telnet" line under 
"[system services]" stanza.


3/ Also, You should be using:


3a/ loopback filter allowing SSH from trusted source IPs only. If You 
manage router via internet, and must keep remote access to it open to 
ANYONE that's not a good practice at all.


3b/ SSH public key authentication instead of password

3c/ backoff timer to fire after 3-5 unsuccessful login tries


3d/ inactivity timer to close hanging SSH sessions - to make sure You 
are not locked out of the router access because all TTYs are taken.


Thanks

Alex


On 21/11/2016 21:29, Aaron wrote:

I have an unauthorized telnet session attached to my router but it does not
show up under "show system users" and they have not successfully logged so
it doesn't seem that I can do the "request system logout.." thing


  


I do however so unsuccessful login attempts in syslog


  


How do I kill/disconnect this tcp session ?


  


me@j1> show system connections | grep ".23 "

tcp4       0      0  109.109.109.109.23
181.181.181.181.55436                          ESTABLISHED

tcp4       0      0  *.23                                          *.*
LISTEN

tcp4       0      0  *.6023                                        *.*
LISTEN

tcp4       0      0  *.6023                                        *.*
LISTEN

udp4       0      0  128.0.0.1.123                                 *.*

udp4       0      0  *.123                                         *.*

udp4       0      0  *.6123                                        *.*

udp4       0      0  *.6123                                        *.*


  

  


{master:0}

me@j1> show system processes | grep "PID|telnet"

   PID  TT  STAT      TIME COMMAND

70193  ??  Is     0:00.00 telnetd


  

  


{master:0}

me@j1> start shell

% ps -awwux | grep telnet

root   70193  0.0  0.1  2128  1396  ??  Is    1:34PM   0:00.00 telnetd

remote 70971  0.0  0.0   480   296  p5  R+    3:19PM   0:00.00 grep telnet

%


  


- Aaron

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp






















					Reply via email to