【技术分享】SSH/Telnet攻击
发布作者:微思网络 发布时间:2023-06-26 浏览量:0次
攻击简介 设备对于上送CPU的SSH/Telnet协议报文存在限速,未经授权用户攻击或者过多用户同时通过SSH/Telnet方式登录设备,可能会导致设备脱管。建议通过使用白名单控制可登录管理设备的用户,防止设备被仿冒攻击和非法访问的安全风险。 现象描述 正常用户无法登录设备。 定位思考 display cpu-defend statistics packet-type ssh all 原因分析 未授权用户攻击,导致SSH/Telnet方式无法登录设备。 操作步骤 识别攻击源。 识别出攻击源后,通过部署安全策略限制用户登录,配置举例如下: 在V200R011C10SPC600以及之后的版本,可以通过telnet server acl 3334或者stelnet server acl 3334来做SSH/Telnet报文的过滤,在ACL中rule满足规格前提下(SSH跟Telnet的白名单用户的硬件规格之和为8,如果超过8条,则还是通过软件过滤非法用户),可以硬件过滤掉不在acl 3334中的用户SSH或者Telnet报文。 如果设备不需要通过Telnet方式登录,可以去使能Telnet服务器。定位手段 命令行 适用版本形态 查看CPU-Defend丢包计数 V100R006C05版本以及之后版本 <HUAWEI> display cpu-defend statistics packet-type ssh all
Statistics on mainboard:
--------------------------------------------------------------------------------
Packet Type Pass(Packet/Byte) Drop(Packet/Byte) Last-dropping-time
--------------------------------------------------------------------------------
ssh 159810 2739 2021-02-01 17:33:44
NA NA
--------------------------------------------------------------------------------
Statistics on slot 1:
--------------------------------------------------------------------------------
Packet Type Pass(Packet/Byte) Drop(Packet/Byte) Last-dropping-time
--------------------------------------------------------------------------------
ssh 159810 2739 2021-02-01 17:33:44
13790778 207864
--------------------------------------------------------------------------------<HUAWEI> display cpu-defend statistics packet-type telnet all
Statistics on mainboard:
--------------------------------------------------------------------------------
Packet Type Pass(Packet/Byte) Drop(Packet/Byte) Last-dropping-time
--------------------------------------------------------------------------------
telnet 1577093 13922 2021-01-23 17:13:43
NA NA
--------------------------------------------------------------------------------
Statistics on slot 1:
--------------------------------------------------------------------------------
Packet Type Pass(Packet/Byte) Drop(Packet/Byte) Last-dropping-time
--------------------------------------------------------------------------------
telnet 1577093 13922 2021-01-23 17:13:43
127671081 974564
--------------------------------------------------------------------------------[HUAWEI] acl 3333
[HUAWEI-acl-adv-3333] rule 5 permit tcp destination-port eq 22
[HUAWEI-acl-adv-3333] rule 10 permit tcp destination-port eq telnet
[HUAWEI-acl-adv-3333] quit
[HUAWEI] capture-packet cpu acl 3333 destination terminal packet-num 3
Warning: Mirrored packets will be shown on terminal.
[HUAWEI]
Packet: 1
-------------------------------------------------------
00 00 11 00 22 01 00 00 0a 88 1c d0 81 00 cb c7
08 00 45 c0 00 31 d2 07 00 00 ff 06 16 56 ac 16
bd 3e ac 16 bd 3d d3 c7 00 17 83 0c 39 f7 a6 c1
e0 42 50 18 20 00 8e 36 00 00 ff fd 01 ff fd 03
-------------------------------------------------------
Packet: 2
-------------------------------------------------------
00 00 11 00 22 01 00 00 0a 88 1c d0 81 00 cb c7
08 00 45 c0 00 31 d2 07 00 00 ff 06 16 56 ac 16
bd 3e ac 16 bd 3d d3 c7 00 17 83 0c 39 f7 a6 c1
e0 42 50 18 20 00 8e 36 00 00 ff fd 01 ff fd 03
-------------------------------------------------------
Packet: 3
-------------------------------------------------------
00 00 11 00 22 01 00 00 0a 88 1c d0 81 00 cb c7
08 00 45 c0 00 31 d2 07 00 00 ff 06 16 56 ac 16
bd 3e ac 16 bd 3d d3 c7 00 17 83 0c 39 f7 a6 c1
e0 42 50 18 20 00 8e 36 00 00 ff fd 01 ff fd 03
-------------------------------------------------------
-----------------packet getting report-----------------
file: NULL
packets getting: cpu
acl: 3333
vlan: - cvlan: -
car: -- timeout: 60s
packets: 3 (expected) 3 (actual)
length: 64 (expected)
-------------------------------------------------------[HUAWEI] acl number 3334
[HUAWEI-acl-adv-3334] rule 5 permit ip source 172.22.189.62 0
[HUAWEI-acl-adv-3334] quit
[HUAWEI] aaa
[HUAWEI-aaa] local-user admin1234 password irreversible-cipher Helloworld@6789
[HUAWEI-aaa] local-user admin1234 privilege level 3
[HUAWEI-aaa] local-user admin1234 service-type telnet
[HUAWEI-aaa] quit
[HUAWEI] user-interface maximum-vty 15
[HUAWEI] user-interface vty 0 14
[HUAWEI-ui-vty0-14] acl 3334 inbound
[HUAWEI-ui-vty0-14] authentication-mode aaa
[HUAWEI-ui-vty0-14] idle-timeout 20 0
[HUAWEI-ui-vty0-14] screen-length 0
[HUAWEI-ui-vty0-14] protocol inbound telnet<HUAWEI> system-view
[HUAWEI] undo telnet server enable