juniper srx650防护防火墙公网IP被***方法一

内网通过源地址的NAT上网，通常情况下，这个公网IP是防火墙的IP，即内网公网IP。这个IP默认情况下管理员为了便于管理，会打开http、https、ssh等端口。这样容易被外网的人猜测到密码。现采取以下措施：

开放系统的相关服务:

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh

set system services ssh

set system services telnet

set system services web-management http interface ge-0/0/3.0

set system services web-management https system-generated-certificate

set system services web-management https interface ge-0/0/1.0

set security zones security-zone trust host-inbound-traffic system-services all

set security zones security-zone trust host-inbound-traffic protocols all

set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services dhcp

set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services ping

set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services http

set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services https

set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services ssh

现思路如下：

将该公网的ip的服务关闭，然后将防火墙内网IP的管理端口映射到其它公网的某个端口

delete security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh

/*/建立元素

set security zones security-zone trust address-book address juniper2541 192.168.254.1/32

#建立NAT

set security nat destination pool 2541 address 192.168.254.1/32

set security nat destination pool 2541 address port 22

set security nat destination rule-set 1 rule 2541 match source-address 0.0.0.0/0

set security nat destination rule-set 1 rule 2541 match destination-address 113.106.95.x/32

set security nat destination rule-set 1 rule 2541 match destination-port 1055

set security nat destination rule-set 1 rule 2541 then destination-nat pool 2541

#建立策略

set security policies from-zone untrust to-zone trust policy yc2541 match source-address any

set security policies from-zone untrust to-zone trust policy yc2541 match destination-address juniper2541

set security policies from-zone untrust to-zone trust policy yc2541 match application juniper1055

set security policies from-zone untrust to-zone trust policy yc2541 then permit