[j-nsp] protect ssh and telnet

Phil Shafer phil at juniper.net
Mon Apr 4 22:23:40 EDT 2016


Aaron writes:
>I'm new to Juniper. and I'm looking to protect ssh/telnet on all interfaces
>on my juniper ACX5048's.

First comment is: if you want security, don't allow telnet.
Force the use of ssh.

Me, I don't even like allowing passwords.  JUNOS now supports the
"system services ssh no-passwords" knob to force the use of ssh
keys over text passwords.  And your radius server will happily serve
ssh keys.  Force the move away from passwords.

The "lo0" filter covers traffic to the routing engine.  Any filter
applied to lo0 will block/allow only that traffic.

More generally, take a look at the "secure junos template" from
Team Cymru:

    http://www.team-cymru.org/templates.html

Thanks,
 Phil


More information about the juniper-nsp mailing list