Hello,
Someone is brute-forcing Your router password, and that is very common
nowadays. Good loopback filter would prevent this.
In addition:
1/ You can only do "request system logout" for sessions that passed
authentication+login+got TTY assigned. If You see "unsuccessful login"
it means this session did not get past authentication. Unautheticated
sessions got disconnected after 3 wrong password attempts, or 120 secs
if there is no data flowing (from memory)
2/ Best practice is not to allow telnet at all. Use SSH instead. To
disable telnet, make sure You do NOT have the "telnet" line under
"[system services]" stanza.
3/ Also, You should be using:
3a/ loopback filter allowing SSH from trusted source IPs only. If You
manage router via internet, and must keep remote access to it open to
ANYONE that's not a good practice at all.
3b/ SSH public key authentication instead of password
3c/ backoff timer to fire after 3-5 unsuccessful login tries
3d/ inactivity timer to close hanging SSH sessions - to make sure You
are not locked out of the router access because all TTYs are taken.
Thanks
Alex
On 21/11/2016 21:29, Aaron wrote:
I have an unauthorized telnet session attached to my router but it does not
show up under "show system users" and they have not successfully logged so
it doesn't seem that I can do the "request system logout.." thing
I do however so unsuccessful login attempts in syslog
How do I kill/disconnect this tcp session ?
me@j1> show system connections | grep ".23 "
tcp4 0 0 109.109.109.109.23
181.181.181.181.55436 ESTABLISHED
tcp4 0 0 *.23 *.*
LISTEN
tcp4 0 0 *.6023 *.*
LISTEN
tcp4 0 0 *.6023 *.*
LISTEN
udp4 0 0 128.0.0.1.123 *.*
udp4 0 0 *.123 *.*
udp4 0 0 *.6123 *.*
udp4 0 0 *.6123 *.*
{master:0}
me@j1> show system processes | grep "PID|telnet"
PID TT STAT TIME COMMAND
70193 ?? Is 0:00.00 telnetd
{master:0}
me@j1> start shell
% ps -awwux | grep telnet
root 70193 0.0 0.1 2128 1396 ?? Is 1:34PM 0:00.00 telnetd
remote 70971 0.0 0.0 480 296 p5 R+ 3:19PM 0:00.00 grep telnet
%
- Aaron
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp