Re: Netscreen 5XT SSH Traffic

[Jonathan Nichols <jnichols () pbp net>]

Ben Blakely wrote:
> Hello List,
>
>  I'm the admin for a small network that uses a NetScreen 5XT firewall as 
> the border access control device.   Just like everyone else, we get a 
> pretty constant stream of SSH login attempts to our full range of IPs.  
> This doesn't concern us too much as our root logins are disabled and we 
> enforce strong passwords.  However, several days ago we started seeing 
> SSH (v2, port 22) login attempts to machines that the firewall should 
> not be allowing SSH traffic to in the first place.  Unfortunately this 
> happened overnight and our log vault machine was experiencing unrelated 
> problems. Due to this I wasn't able to capture any of the traffic for 
> closer dissection.  The only conclusion we were able to reach here was 
> that perhaps there is a state table poisoning bug in the NetScreen code 
> that tricked the firewall into thinking the traffic had originated as 
> egress.  Is this a reasonable conclusion?  To be honest that seems like 
> a bit of a reach, does anyone else have any experience with similar 
> incidents or any possible explanations?  I'll happy to clarify anything 
> I can with the data I have, thanks for your time everyone.
>
> /ben Blakely

Have you contacted Netscreen/Juniper TAC about this? There are ways to 
capture packets on the 5XT itself for analysis. Do you have another host 
that you can use to test this from the outside? If it's an internal box 
that shouldn't be allowed SSH access, you oughta be able to test that 
from a machine outside the network.

I'd definitely contact the TAC about this, and have them review the 
firewall rules as well. It's possible that there's a rule that's 
overriding your deny SSH rule.