Security Incidents mailing list archives
RE: Netscreen 5XT SSH Traffic
From: "Dante Mercurio" <Dante () webcti com>
Date: Fri, 18 Mar 2005 14:38:47 -0500
I can't tell from your email what indications you currently have that this came through the firewall and was not spoofed from the inside in some manner. I've always found the Netscreen to be a pretty secure device and this would be a serious flaw. Are there any other methods onto the network such as dial-in, VPN, or vendor connections? Attacks can originate from any of these without a flaw in the firewall software. M. Dante Mercurio, CISSP, CWNA, Security+, SCSP -----Original Message----- From: Jonathan Nichols [mailto:jnichols () pbp net] Sent: Friday, March 18, 2005 12:33 PM To: Ben Blakely Cc: incidents () securityfocus org Subject: Re: Netscreen 5XT SSH Traffic Ben Blakely wrote:
Hello List, I'm the admin for a small network that uses a NetScreen 5XT firewall
as
the border access control device. Just like everyone else, we get a pretty constant stream of SSH login attempts to our full range of IPs. This doesn't concern us too much as our root logins are disabled and
we
enforce strong passwords. However, several days ago we started seeing
SSH (v2, port 22) login attempts to machines that the firewall should not be allowing SSH traffic to in the first place. Unfortunately this
happened overnight and our log vault machine was experiencing
unrelated
problems. Due to this I wasn't able to capture any of the traffic for closer dissection. The only conclusion we were able to reach here was
that perhaps there is a state table poisoning bug in the NetScreen
code
that tricked the firewall into thinking the traffic had originated as egress. Is this a reasonable conclusion? To be honest that seems
like
a bit of a reach, does anyone else have any experience with similar incidents or any possible explanations? I'll happy to clarify
anything
I can with the data I have, thanks for your time everyone. /ben Blakely
Have you contacted Netscreen/Juniper TAC about this? There are ways to capture packets on the 5XT itself for analysis. Do you have another host that you can use to test this from the outside? If it's an internal box that shouldn't be allowed SSH access, you oughta be able to test that from a machine outside the network. I'd definitely contact the TAC about this, and have them review the firewall rules as well. It's possible that there's a rule that's overriding your deny SSH rule.
Current thread:
- Netscreen 5XT SSH Traffic Ben Blakely (Mar 18)
- Re: Netscreen 5XT SSH Traffic Jonathan Nichols (Mar 18)
- <Possible follow-ups>
- RE: Netscreen 5XT SSH Traffic Dante Mercurio (Mar 18)
- Message not available
- Re: Netscreen 5XT SSH Traffic Michael Peppard (Mar 18)
- Re: Netscreen 5XT SSH Traffic Ben Blakely (Mar 21)
- Message not available