Best Security Practices for SSH (Secure Shell) Remote Access in Juniper

Here’s some Best practices that you can implement in Juniper devices in securing your SSH.

1.Remote access should be via SSH and telnet is disabled

delete system services telnet

 

2. SSH should be version 2 or higher. Do not run v1

set system services ssh protocol-version v2

 

3. Configure Login Banner

set system login message “\n*************************************************************************\n       UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED\n\nYou must have explicit, authorized permission to access or configure this \ndevice.Unauthorized attempts and actions to access or use this system may \nresult in civil and/or criminal penalties.\nAll activities performed on this device are logged and monitored.\n\n*************************************************************************\n\n”

For more info about Banner configuration , pls. refer to this –> Configuring Banner or Login Message in Juniper

4. Enforce 2FA(2-factor authentication) and configure centralized AAA. Complex password/passphrase should be enforce in Tacacs/Radius Servers.

set system authentication-order tacplus
set system tacplus-server 192.168.1.111 routing-instance mgmt_junos
set system tacplus-server 192.168.1.111 secret “$9$Gq.5WLGi.56/veLHvYJZjkmTGDLN4oWLXV”
set system tacplus-server 192.168.1.111 timeout 30
set system tacplus-server 192.168.1.111 single-connection
set system tacplus-server 192.168.1.111 source-address 192.168.1.2

set system accounting destination tacplus server 192.168.1.111 secret “$9$-4dHm8XUGiqPQT/9M8Xxb2Z2aZGi.mT”
set system accounting destination tacplus server 192.168.1.111 single-connection
set system accounting destination tacplus server 192.168.1.111 source-address192.168.1.2

For more info about Tacacs configuration, pls. refer to this –>  TACACS (AAA) Configuration in Juniper

 

5. Configure control-plane management for SSH if possible

set firewall family inet filter IPv4-PROTECT-RE term SSH from source-prefix-list ALLOWED-IP
set firewall family inet filter IPv4-PROTECT-RE term SSH from protocol tcp
set firewall family inet filter IPv4-PROTECT-RE term SSH from port ssh
set firewall family inet filter IPv4-PROTECT-RE term SSH then count SSH
set firewall family inet filter IPv4-PROTECT-RE term SSH then accept

set policy-options prefix-list ALLOWED-IP 192.168.1.100/32
set policy-options prefix-list ALLOWED-IP 192.168.1.101/32

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *