[j-nsp] Changing SSH port on EX switches, M routers
Kevin Oberman
oberman at es.net
Sun Apr 3 19:50:17 EDT 2011
> Date: Sun, 03 Apr 2011 13:12:54 -0700
> From: Joel Jaeggli <joelja at bogus.com>
> Sender: juniper-nsp-bounces at puck.nether.net
>
> the normal approach is to have the control plane policing policy limit
> where you can ssh from rather than obfiscating the port number. From my
> vantage point the ability to forward traffic up to the control plane is
> the problem not which port it happens to be pointed. while you could
> rate limit it with a policer that seems like it's missing the point.
+1
1. Limit access to the ssh port to trusted hosts, preferably tightly
controlled hosts that are dedicated to acting a bastions. No extra
services running that might open vulnerabilities!
2. No passwords! Even if rules for 'good' passwords are followed,
passwords are not nearly as strong as good cyrpto keys. (yes, I know
about the Debian issue! That was so incredibly stupid that it still
boggles my mind! I doubt that any Unix distro will ever do anything so
incomprehensibly stupid again, but it's unwise to assume stupidity is
growing less common. If in doubt, run openssh directly from
openssh.org. they KNOW what they are doing!
3. Require two factor systems to further control access. We use
SmartCard tokens to create and store the private keys. When working
properly, it is not possible to get the private key off of the token
and modern openssh contains support for PKCS11 which will work with
SmartCards, though finding tokens that work with Unix in the US is a
problem.
This sort of control is vastly superior to playing games with the ssh
port by which smart hackers will only be mildly disturbed.
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
More information about the juniper-nsp
mailing list