[j-nsp] protect ssh and telnet
Tim Jackson
jackson.tim at gmail.com
Mon Apr 4 23:27:52 EDT 2016
Sadly, you guys messed up ACX5k lo0 filtering.. Even though it's a
QFX5100/EX4600 inside..
--
Tim
On Mon, Apr 4, 2016 at 9:23 PM, Phil Shafer <phil at juniper.net> wrote:
> Aaron writes:
>>I'm new to Juniper. and I'm looking to protect ssh/telnet on all interfaces
>>on my juniper ACX5048's.
>
> First comment is: if you want security, don't allow telnet.
> Force the use of ssh.
>
> Me, I don't even like allowing passwords. JUNOS now supports the
> "system services ssh no-passwords" knob to force the use of ssh
> keys over text passwords. And your radius server will happily serve
> ssh keys. Force the move away from passwords.
>
> The "lo0" filter covers traffic to the routing engine. Any filter
> applied to lo0 will block/allow only that traffic.
>
> More generally, take a look at the "secure junos template" from
> Team Cymru:
>
> http://www.team-cymru.org/templates.html
>
> Thanks,
> Phil
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list