Here’s some Best practices that you can implement in Juniper devices in securing your SSH.
1.Remote access should be via SSH and telnet is disabled
delete system services telnet
2. SSH should be version 2 or higher. Do not run v1
set system services ssh protocol-version v2
3. Configure Login Banner
set system login message “\n*************************************************************************\n UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED\n\nYou must have explicit, authorized permission to access or configure this \ndevice.Unauthorized attempts and actions to access or use this system may \nresult in civil and/or criminal penalties.\nAll activities performed on this device are logged and monitored.\n\n*************************************************************************\n\n”
4. Enforce 2FA(2-factor authentication) and configure centralized AAA. Complex password/passphrase should be enforce in Tacacs/Radius Servers.
set system authentication-order tacplus
set system tacplus-server 192.168.1.111 routing-instance mgmt_junos
set system tacplus-server 192.168.1.111 secret “$9$Gq.5WLGi.56/veLHvYJZjkmTGDLN4oWLXV”
set system tacplus-server 192.168.1.111 timeout 30
set system tacplus-server 192.168.1.111 single-connection
set system tacplus-server 192.168.1.111 source-address 192.168.1.2set system accounting destination tacplus server 192.168.1.111 secret “$9$-4dHm8XUGiqPQT/9M8Xxb2Z2aZGi.mT”
set system accounting destination tacplus server 192.168.1.111 single-connection
set system accounting destination tacplus server 192.168.1.111 source-address192.168.1.2
For more info about Tacacs configuration, pls. refer to this –> TACACS (AAA) Configuration in Juniper
5. Configure control-plane management for SSH if possible
set firewall family inet filter IPv4-PROTECT-RE term SSH from source-prefix-list ALLOWED-IP
set firewall family inet filter IPv4-PROTECT-RE term SSH from protocol tcp
set firewall family inet filter IPv4-PROTECT-RE term SSH from port ssh
set firewall family inet filter IPv4-PROTECT-RE term SSH then count SSH
set firewall family inet filter IPv4-PROTECT-RE term SSH then acceptset policy-options prefix-list ALLOWED-IP 192.168.1.100/32
set policy-options prefix-list ALLOWED-IP 192.168.1.101/32
[…] Related link –> Best Security Practices for SSH (Secure Shell) Remote Access in Juniper […]