[j-nsp] telnet access

Chris Kawchuk juniperdude at gmail.com
Thu Jan 28 08:42:48 EST 2010


Telnet can be enabled on any/all IP interfaces. Simply add telnet as a services under the [edit system services] stanza.

system {
    services {
        telnet {
            connection-limit 5;
            rate-limit 5;
        }
    }
}

This will allow telnet on every interface.

You might want to also enable the "connection limit and rate limit" variables, to prevent people from brute-forcing password attempts on your device.

The example you may have been looking at, involves how to prevent "The Internet" from telnetting to your router; by placing a filter on lo0 to restrict who can make a telnet connection to your device; which involves placing a [firewall filter] against interface lo0 unit 0. Interface lo0 represents the management of the device from the perspective of the transit interfaces (i.e. every IP interface but fxp0). 

By default, if you enable telnet in the [edit system services] stanza, anyone can telnet to any of the IP addresses on your device. (ge-x/x/x.x interfaces, lo0.x loopback interfaces, and the like).

I highly recommend disabling telnet and using ssh instead:

system {
    services {
        ssh {
            root-login deny;
            connection-limit 3;
            rate-limit 5;
        }
    }
}

For more information on how to protect your router's in-band management from being hacked, Team CYMRU has a nice document to assist you.
the document can be found here: http://www.cymru.com/gillsr/documents/junos-template.pdf


Regards,

- Chris.
juniperdude at gmail.com




On 2010-01-28, at 5:54 AM, Taqdir Singh wrote:

> Hi Team,
> 
> 1) in case of juniper, telnet access restriction can only be configured on
> loopback 0 unit 0 ?
> 2) does that mean, no one can telnet by default on any other phsyical
> interface or any other loopbacks units ?
> 
> 
> 
> 
> -- 
> Taqdir Singh
> Network Engineering
> (+91) 991-170-9496 | (+91) 801-041-5988
> 
> One who asks is a fool for a moment, one who doesn't ask remains fool for
> ever
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list