[j-nsp] Changing SSH port on EX switches, M routers

Julien Goodwin jgoodwin at studio442.com.au
Sun Apr 3 07:44:46 EDT 2011


On 03/04/11 02:13, Jesus Alvarez wrote:
> It should be trivial to implement a configurable SSH port in the Junos

True.

> firmware and this would help in securing the router. Practically all

I doubt it.

> scanners attempt SSH logins when port 22 is available but very few check
> all available ports. It is surprising that Juniper does not provide a
> way to change the SSH port.

In my experience if you change the port all that happens is the really
simple scans go away, but anything the least bit "smart" is still there.

The way to stop SSH being an issue is:

1. If possible firewall the port to allow known management traffic only.
Obviously most networks need to leave a few bounce hosts for
emergencies, but these can be *nix hosts that can run fail2ban or similar

2. Disable root auth (*especially* with JunOS, I find I need a root [not
super-user] shell roughly once a year, and "start shell; su" takes care
of that)

3. Disable password auth. As long as you don't trust any known
compromised keys (Debian SSL bug bites again) this stops everything.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20110403/480b06fb/attachment.pgp>


More information about the juniper-nsp mailing list