Site icon KerKer 的模組世界

[Juniper] Junos限制遠端存取SSH、Telnet權限(ACL)

KerKer

&NewLine;<p class&equals;"wp-block-paragraph"> 邊做邊學,順便留個筆記,若有錯誤請不吝指教。 <&sol;p>&NewLine;&NewLine;&NewLine;&NewLine;<p class&equals;"wp-block-paragraph"> Junos基本操作及root密碼設定可參考我之前的文章:<a href&equals;"https&colon;&sol;&sol;kerker&period;website&sol;juniper-junos&percnt;E5&percnt;9F&percnt;BA&percnt;E6&percnt;9C&percnt;AC&percnt;E6&percnt;93&percnt;8D&percnt;E4&percnt;BD&percnt;9C&percnt;E3&percnt;80&percnt;81root&percnt;E5&percnt;AF&percnt;86&percnt;E7&percnt;A2&percnt;BC&percnt;E8&percnt;A8&percnt;AD&percnt;E5&percnt;AE&percnt;9A&sol;">Juniper Junos基本操作、root密碼設定<&sol;a> <&sol;p>&NewLine;&NewLine;&NewLine;&NewLine;<p class&equals;"wp-block-paragraph"> 所有Juniper相關文章列表:<a href&equals;"https&colon;&sol;&sol;kerker&period;website&sol;juniper-junos-&percnt;E7&percnt;B3&percnt;BB&percnt;E5&percnt;88&percnt;97-&percnt;E6&percnt;96&percnt;87&percnt;E7&percnt;AB&percnt;A0&percnt;E5&percnt;88&percnt;97&percnt;E8&percnt;A1&percnt;A8&sol;">Juniper JunOS 系列文章列表<&sol;a> <&sol;p>&NewLine;&NewLine;&NewLine;&NewLine;<&excl;--more-->&NewLine;&NewLine;&NewLine;&NewLine;<p class&equals;"wp-block-paragraph">之前我們幫Switch開啟了SSH及Telnet遠端管理的功能,但是如果網際網路上的所有IP都能夠遠端管理,就有可能造成資安上的風險。<&sol;p>&NewLine;&NewLine;&NewLine;&NewLine;<p class&equals;"wp-block-paragraph">Juniper的遠端管理功能邏輯上都是透過Loopback介面進行存取,因此我們需要透過在Loopback介面&lpar;lo0&rpar;上套用filter來限制遠端管理的來源IP。<&sol;p>&NewLine;&NewLine;&NewLine;&NewLine;<p class&equals;"wp-block-paragraph">這邊的設定我們使用上次vlan基本設定的範例來進行實作,限制僅vlan200&lpar;即192&period;168&period;200&period;0&sol;24網段&rpar;可對sw1做telnet、ssh的遠端管理。<&sol;p>&NewLine;&NewLine;&NewLine;&NewLine;<figure class&equals;"wp-block-image"><a href&equals;"https&colon;&sol;&sol;lh3&period;googleusercontent&period;com&sol;EKKqtqnq0qKqONp5ytk-owXiK5OFieZBcOlpMUUYP-DnU5K7hq4Tj0wc3Z3HU1GfRxTo61Z5HqjpxjLPDw-YPpLGbxQP9osnQtORJQgci0uMiGuP-DidSaLcpW4bsqTyr9H4ox56VjkbNMW&lowbar;SoTV9ah8RkOrmyv1NFxKMXoXuubEI9Ve2vlGosi8bYzbTg2dSDbEZq-3TCl9GRJShkW79b7TlYClg1eI3R-Py7yUiNV7YfnWvkFGfG2oVzyQaXLJ7zfoYpkuE&lowbar;7e3rLL8JYSz80EwXTR82u6mGVy71rZXp2JdfJGtIKTOelmQu4VbM1VsZJDSM4mjNLzWTEMXNYAn0w3NlgP7sa2&lowbar;4UfwV4YvL3MkEtI-hOg1UyNXOb7JHbQgCwR-tZKi23hgObRlgKFTzxj88EH4sxxGQ8l7&lowbar;oJKZC1ggifyMdCRJTN5IqwEjjPnQMZUGEizOxUDseghTccOW9rXRFr2MBv&lowbar;K9Hc8zOGlw4KHs9NuR-1aGkUaYGXLBmv7oHYV1IUH9X7Yu8W1nmXPvCfpzntwNEe2-rEzgSMhS3onELgdD5uRIe4x58EKSKQkcZ2ivS8syRUq4SUM-lBHN9yo5JWIuU2VTURXsjShnZhyI4sGmrnKFclyyRl8oCCPXK6m5cMYmkc4-YnwAhI8a2J0fTgxB0QNvjPVcxoV4nVWvL0vYf0L6xmkNw0jD4X7tKCtv3KGTiF9HW-Ub81ar5FWC-HpdzXWDmZiwAgAYDp9mT&equals;w471-h364-no"><img src&equals;"https&colon;&sol;&sol;lh3&period;googleusercontent&period;com&sol;EKKqtqnq0qKqONp5ytk-owXiK5OFieZBcOlpMUUYP-DnU5K7hq4Tj0wc3Z3HU1GfRxTo61Z5HqjpxjLPDw-YPpLGbxQP9osnQtORJQgci0uMiGuP-DidSaLcpW4bsqTyr9H4ox56VjkbNMW&lowbar;SoTV9ah8RkOrmyv1NFxKMXoXuubEI9Ve2vlGosi8bYzbTg2dSDbEZq-3TCl9GRJShkW79b7TlYClg1eI3R-Py7yUiNV7YfnWvkFGfG2oVzyQaXLJ7zfoYpkuE&lowbar;7e3rLL8JYSz80EwXTR82u6mGVy71rZXp2JdfJGtIKTOelmQu4VbM1VsZJDSM4mjNLzWTEMXNYAn0w3NlgP7sa2&lowbar;4UfwV4YvL3MkEtI-hOg1UyNXOb7JHbQgCwR-tZKi23hgObRlgKFTzxj88EH4sxxGQ8l7&lowbar;oJKZC1ggifyMdCRJTN5IqwEjjPnQMZUGEizOxUDseghTccOW9rXRFr2MBv&lowbar;K9Hc8zOGlw4KHs9NuR-1aGkUaYGXLBmv7oHYV1IUH9X7Yu8W1nmXPvCfpzntwNEe2-rEzgSMhS3onELgdD5uRIe4x58EKSKQkcZ2ivS8syRUq4SUM-lBHN9yo5JWIuU2VTURXsjShnZhyI4sGmrnKFclyyRl8oCCPXK6m5cMYmkc4-YnwAhI8a2J0fTgxB0QNvjPVcxoV4nVWvL0vYf0L6xmkNw0jD4X7tKCtv3KGTiF9HW-Ub81ar5FWC-HpdzXWDmZiwAgAYDp9mT&equals;w471-h364-no" alt&equals;""&sol;><&sol;a><&sol;figure>&NewLine;&NewLine;&NewLine;&NewLine;<p class&equals;"wp-block-paragraph">首先我們要實做一個等等要套用的filter,在設定模式下使用下列指令建立Filter:<&sol;p>&NewLine;&NewLine;&NewLine;&NewLine;<pre class&equals;"wp-block-code"><code> KerKer&commat;sw1&num; set firewall family inet filter Remote&lowbar;ACL term 1 from source-address 192&period;168&period;200&period;0&sol;24&NewLine; KerKer&commat;sw1&num; set firewall family inet filter Remote&lowbar;ACL term 1 from destination-port telnet&NewLine; KerKer&commat;sw1&num; set firewall family inet filter Remote&lowbar;ACL term 1 from destination-port ssh&NewLine; KerKer&commat;sw1&num; set firewall family inet filter Remote&lowbar;ACL term 1 then accept&NewLine; KerKer&commat;sw1&num; set firewall family inet filter Remote&lowbar;ACL term 2 from destination-port telnet&NewLine; KerKer&commat;sw1&num; set firewall family inet filter Remote&lowbar;ACL term 2 from destination-port ssh&NewLine; KerKer&commat;sw1&num; set firewall family inet filter Remote&lowbar;ACL term 2 then reject&NewLine; KerKer&commat;sw1&num; set firewall family inet filter Remote&lowbar;ACL term 3 then accept<&sol;code><&sol;pre>&NewLine;&NewLine;&NewLine;&NewLine;<p class&equals;"wp-block-paragraph">Remote&lowbar;ACL是我們給這個filter定義的名稱,也可以換成任意其他名稱,我們可以在設定模式下用show指令來查看Filter設定:<&sol;p>&NewLine;&NewLine;&NewLine;&NewLine;<pre class&equals;"wp-block-code"><code> KerKer&commat;sw1&num; show firewall family inet filter Remote&lowbar;ACL &NewLine; term 1 &lbrace;&NewLine; from &lbrace;&NewLine; source-address &lbrace;&NewLine; 192&period;168&period;200&period;0&sol;24&semi;&NewLine; &rcub;&NewLine; destination-port &lbrack; telnet ssh &rsqb;&semi;&NewLine; &rcub;&NewLine; then accept&semi;&NewLine; &rcub;&NewLine; term 2 &lbrace;&NewLine; from &lbrace;&NewLine; destination-port &lbrack; telnet ssh &rsqb;&semi;&NewLine; &rcub;&NewLine; then &lbrace;&NewLine; reject&semi;&NewLine; &rcub;&NewLine; &rcub;&NewLine; term 3 &lbrace;&NewLine; then accept&semi;&NewLine; &rcub;<&sol;code><&sol;pre>&NewLine;&NewLine;&NewLine;&NewLine;<p class&equals;"wp-block-paragraph">首先在 term 1 先允許192&period;168&period;200&period;0&sol;24的telnet、ssh請求,並在 term 2 阻擋來自其他所有IP的telnet、ssh請求,最後再用 term 3 允許其它非telnet、ssh封包。<&sol;p>&NewLine;&NewLine;&NewLine;&NewLine;<p class&equals;"wp-block-paragraph">這裡比較需要注意的是term後面接的數字為term的名稱,也可以使用任意字串命名。<&sol;p>&NewLine;&NewLine;&NewLine;&NewLine;<p class&equals;"wp-block-paragraph">term的優先序以排列順序為主,from後面接的是條件,then後面接的是動作。<&sol;p>&NewLine;&NewLine;&NewLine;&NewLine;<p class&equals;"wp-block-paragraph">destination-port可以填常用的協定,效果其實等同這填寫這些協定預設的port,所以這邊填 &lbrack; 22 23 &rsqb; 也能起到相同的效果。<&sol;p>&NewLine;&NewLine;&NewLine;&NewLine;<p class&equals;"wp-block-paragraph">若要改變排列順序可以使在設定模式下用 insert term 2 before term 1 的指令把 term 2 排到 term 1 前面。<&sol;p>&NewLine;&NewLine;&NewLine;&NewLine;<p class&equals;"wp-block-paragraph">完成filter設定後我們須將其套用至介面上,套用方如下:<&sol;p>&NewLine;&NewLine;&NewLine;&NewLine;<p class&equals;"wp-block-paragraph"><code> KerKer&commat;sw1&num; set interfaces lo0 unit 0 family inet filter input Remote&lowbar;ACL<&sol;code><&sol;p>&NewLine;&NewLine;&NewLine;&NewLine;<p class&equals;"wp-block-paragraph">這樣就完成所有的設定了, 設定完成記得要commit才會生效,更多關於commit指令的內容可以參考:<a href&equals;"https&colon;&sol;&sol;kerker&period;website&sol;juniper-junos&percnt;E6&percnt;8F&percnt;90&percnt;E4&percnt;BA&percnt;A4&percnt;E8&percnt;A8&percnt;AD&percnt;E5&percnt;AE&percnt;9Acommit&sol;">Juniper Junos提交設定&lpar;commit&rpar;<&sol;a> <&sol;p>&NewLine;&NewLine;&NewLine;&NewLine;<p class&equals;"wp-block-paragraph">我們分別在vlan100及vlan200上接電腦對sw1進行ping及telnet&sol;ssh測試。<&sol;p>&NewLine;&NewLine;&NewLine;&NewLine;<p class&equals;"wp-block-paragraph">當我們使用192&period;168&period;100&period;1時可正常ping到sw1但無法ssh、telnet。<&sol;p>&NewLine;&NewLine;&NewLine;&NewLine;<pre class&equals;"wp-block-code"><code> &lbrack;C&colon;&bsol;~&rsqb;&dollar; ipconfig&NewLine;&NewLine; Windows IP 設定&NewLine;&NewLine; 乙太網路卡 乙太網路 9&colon;&NewLine;&NewLine; 連線特定 DNS 尾碼 &period; &period; &period; &period; &period; &period; &period; &period; &colon; &NewLine; IPv4 位址 &period; &period; &period; &period; &period; &period; &period; &period; &period; &period; &period; &period; &colon; 192&period;168&period;100&period;1&NewLine; 子網路遮罩 &period; &period; &period; &period; &period; &period; &period; &period; &period; &period; &period; &period;&colon; 255&period;255&period;255&period;0&NewLine; 預設閘道 &period; &period; &period; &period; &period; &period; &period; &period; &period; &period; &period; &period; &period;&colon; 192&period;168&period;100&period;254&NewLine;&NewLine; &lbrack;C&colon;&bsol;~&rsqb;&dollar; ping 10&period;0&period;0&period;1&NewLine;&NewLine; Ping 10&period;0&period;0&period;1 &lpar;使用 32 位元組的資料&rpar;&colon;&NewLine; 回覆自 10&period;0&period;0&period;1&colon; 位元組&equals;32 時間&equals;3ms TTL&equals;64&NewLine; 回覆自 10&period;0&period;0&period;1&colon; 位元組&equals;32 時間&equals;5ms TTL&equals;64&NewLine; 回覆自 10&period;0&period;0&period;1&colon; 位元組&equals;32 時間&equals;4ms TTL&equals;64&NewLine; 回覆自 10&period;0&period;0&period;1&colon; 位元組&equals;32 時間&equals;10ms TTL&equals;64&NewLine;&NewLine; 10&period;0&period;0&period;1 的 Ping 統計資料&colon;&NewLine; 封包&colon; 已傳送 &equals; 4,已收到 &equals; 4&comma; 已遺失 &equals; 0 &lpar;0&percnt; 遺失&rpar;,&NewLine; 大約的來回時間 &lpar;毫秒&rpar;&colon;&NewLine; 最小值 &equals; 3ms,最大值 &equals; 10ms,平均 &equals; 5ms&NewLine;&NewLine; &lbrack;C&colon;&bsol;~&rsqb;&dollar; telnet 10&period;0&period;0&period;1&NewLine;&NewLine; Connecting to 10&period;0&period;0&period;1&colon;23&period;&period;&period;&NewLine; Could not connect to '10&period;0&period;0&period;1' &lpar;port 23&rpar;&colon; Connection failed&period;&NewLine;&NewLine; &lbrack;C&colon;&bsol;~&rsqb;&dollar; ssh 10&period;0&period;0&period;1&NewLine;&NewLine; Connecting to 10&period;0&period;0&period;1&colon;22&period;&period;&period;&NewLine; Could not connect to '10&period;0&period;0&period;1' &lpar;port 22&rpar;&colon; Connection failed&period;<&sol;code><&sol;pre>&NewLine;&NewLine;&NewLine;&NewLine;<p class&equals;"wp-block-paragraph">當我們改使用192&period;168&period;200&period;1時則ping、ssh、telnet都可以正常存取。<&sol;p>&NewLine;&NewLine;&NewLine;&NewLine;<pre class&equals;"wp-block-code"><code> &&num;91&semi;C&colon;&bsol;~&rsqb;&dollar; ipconfig&NewLine;&NewLine; Windows IP 設定&NewLine;&NewLine; 乙太網路卡 乙太網路 9&colon;&NewLine;&NewLine; 連線特定 DNS 尾碼 &period; &period; &period; &period; &period; &period; &period; &period; &colon; &NewLine; IPv4 位址 &period; &period; &period; &period; &period; &period; &period; &period; &period; &period; &period; &period; &colon; 192&period;168&period;200&period;1&NewLine; 子網路遮罩 &period; &period; &period; &period; &period; &period; &period; &period; &period; &period; &period; &period;&colon; 255&period;255&period;255&period;0&NewLine; 預設閘道 &period; &period; &period; &period; &period; &period; &period; &period; &period; &period; &period; &period; &period;&colon; 192&period;168&period;200&period;254&NewLine;&NewLine; &&num;91&semi;C&colon;&bsol;~&rsqb;&dollar; ping 10&period;0&period;0&period;1&NewLine;&NewLine; Ping 10&period;0&period;0&period;1 &lpar;使用 32 位元組的資料&rpar;&colon;&NewLine; 回覆自 10&period;0&period;0&period;1&colon; 位元組&equals;32 時間&equals;12ms TTL&equals;64&NewLine; 回覆自 10&period;0&period;0&period;1&colon; 位元組&equals;32 時間&equals;12ms TTL&equals;64&NewLine; 回覆自 10&period;0&period;0&period;1&colon; 位元組&equals;32 時間&equals;7ms TTL&equals;64&NewLine; 回覆自 10&period;0&period;0&period;1&colon; 位元組&equals;32 時間&equals;10ms TTL&equals;64&NewLine;&NewLine; 10&period;0&period;0&period;1 的 Ping 統計資料&colon;&NewLine; 封包&colon; 已傳送 &equals; 4,已收到 &equals; 4&comma; 已遺失 &equals; 0 &lpar;0&percnt; 遺失&rpar;,&NewLine; 大約的來回時間 &lpar;毫秒&rpar;&colon;&NewLine; 最小值 &equals; 7ms,最大值 &equals; 12ms,平均 &equals; 10ms&NewLine;&NewLine; &&num;91&semi;C&colon;&bsol;~&rsqb;&dollar; telnet 10&period;0&period;0&period;1&NewLine;&NewLine; Connecting to 10&period;0&period;0&period;1&colon;23&period;&period;&period;&NewLine; Connection established&period;&NewLine; To escape to local shell&comma; press 'Ctrl&plus;Alt&plus;&rsqb;'&period;&NewLine;&NewLine; &&num;91&semi;C&colon;&bsol;~&rsqb;&dollar; ssh 10&period;0&period;0&period;1&NewLine;&NewLine; Connecting to 10&period;0&period;0&period;1&colon;22&period;&period;&period;&NewLine; Connection established&period;&NewLine; To escape to local shell&comma; press 'Ctrl&plus;Alt&plus;&rsqb;'&period; <&sol;code><&sol;pre>&NewLine;&NewLine;&NewLine;&NewLine;<p class&equals;"wp-block-paragraph">如此一來就能夠確認所有設定都已生效,已經能夠限制特定來源對Switch進行存取了!<&sol;p>&NewLine;

Exit mobile version