Always a good reference: http://www.team-cymru.org/templates.html http://www.cymru.com/gillsr/documents/junos-template.pdf
-- Hugo Slabbert | email, xmpp/jabber: [email protected] pgp key: B178313E | also on Signal On Thu 2016-Nov-24 11:07:45 +0000, Alexander Arseniev <[email protected]> wrote:
Hello,Someone is brute-forcing Your router password, and that is very common nowadays. Good loopback filter would prevent this.In addition:1/ You can only do "request system logout" for sessions that passed authentication+login+got TTY assigned. If You see "unsuccessful login" it means this session did not get past authentication. Unautheticated sessions got disconnected after 3 wrong password attempts, or 120 secs if there is no data flowing (from memory)2/ Best practice is not to allow telnet at all. Use SSH instead. To disable telnet, make sure You do NOT have the "telnet" line under "[system services]" stanza.3/ Also, You should be using:3a/ loopback filter allowing SSH from trusted source IPs only. If You manage router via internet, and must keep remote access to it open to ANYONE that's not a good practice at all.3b/ SSH public key authentication instead of password 3c/ backoff timer to fire after 3-5 unsuccessful login tries3d/ inactivity timer to close hanging SSH sessions - to make sure You are not locked out of the router access because all TTYs are taken.Thanks Alex On 21/11/2016 21:29, Aaron wrote:I have an unauthorized telnet session attached to my router but it does not show up under "show system users" and they have not successfully logged so it doesn't seem that I can do the "request system logout.." thing I do however so unsuccessful login attempts in syslog How do I kill/disconnect this tcp session ? me@j1> show system connections | grep ".23 " tcp4 0 0 109.109.109.109.23 181.181.181.181.55436 ESTABLISHED tcp4 0 0 *.23 *.* LISTEN tcp4 0 0 *.6023 *.* LISTEN tcp4 0 0 *.6023 *.* LISTEN udp4 0 0 128.0.0.1.123 *.* udp4 0 0 *.123 *.* udp4 0 0 *.6123 *.* udp4 0 0 *.6123 *.* {master:0} me@j1> show system processes | grep "PID|telnet" PID TT STAT TIME COMMAND 70193 ?? Is 0:00.00 telnetd {master:0} me@j1> start shell % ps -awwux | grep telnet root 70193 0.0 0.1 2128 1396 ?? Is 1:34PM 0:00.00 telnetd remote 70971 0.0 0.0 480 296 p5 R+ 3:19PM 0:00.00 grep telnet % - Aaron _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp_______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
signature.asc
Description: Digital signature
_______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp

