现在的位置: 首页 > 综合 > 正文

juniper srx650防护防火墙公网IP被攻击方法一

2012年04月18日 综合 ⁄ 共 1988字 ⁄ 字号 暂无评论

内网通过源地址的NAT上网,通常情况下,这个公网IP是防火墙的IP,即内网公网IP。这个IP默认情况下管理员为了便于管理,会打开http、https、ssh等端口。这样容易被外网的人猜测到密码。现采取以下措施:

开放系统的相关服务:

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh

set system services ssh
set system services telnet
set system services web-management http interface ge-0/0/3.0
set system services web-management https system-generated-certificate
set system services web-management https interface ge-0/0/1.0

set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services dhcp
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services http
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services https
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services ssh

现思路如下:

将该公网的ip的服务关闭,然后将防火墙内网IP的管理端口映射到其它公网的某个端口

delete security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh

/*/建立元素

set security zones security-zone trust address-book address juniper2541 192.168.254.1/32

#建立NAT

set security nat destination pool 2541 address 192.168.254.1/32
set security nat destination pool 2541 address port 22

set security nat destination rule-set 1 rule 2541 match source-address 0.0.0.0/0
set security nat destination rule-set 1 rule 2541 match destination-address 113.106.95.x/32
set security nat destination rule-set 1 rule 2541 match destination-port 1055
set security nat destination rule-set 1 rule 2541 then destination-nat pool 2541

#建立策略

set security policies from-zone untrust to-zone trust policy yc2541 match source-address any
set security policies from-zone untrust to-zone trust policy yc2541 match destination-address juniper2541
set security policies from-zone untrust to-zone trust policy yc2541 match application juniper1055
set security policies from-zone untrust to-zone trust policy yc2541 then permit

给我留言

留言无头像?