subject:"\[j\-nsp\] telnet access"

[j-nsp] telnet access

2010-01-28 Thread Taqdir Singh

Hi Team,

1) in case of juniper, telnet access restriction can only be configured on
loopback 0 unit 0 ?
2) does that mean, no one can telnet by default on any other phsyical
interface or any other loopbacks units ?




-- 
Taqdir Singh
Network Engineering
(+91) 991-170-9496 | (+91) 801-041-5988

One who asks is a fool for a moment, one who doesn't ask remains fool for
ever
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] telnet access

2010-01-28 Thread Scott Berkman

Correct.  This is a little different than how you think of security in Cisco
ACL's, but think of it as that any services that run on the router itself
enter the router's management IP stack on lo0.

The folks over at CYRMU have some nice docs on Juniper security such as:
http://www.cymru.com/gillsr/documents/junos-template.htm

-Scott

-Original Message-
From: juniper-nsp-boun...@puck.nether.net
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Taqdir Singh
Sent: Thursday, January 28, 2010 7:54 AM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] telnet access

Hi Team,

1) in case of juniper, telnet access restriction can only be configured on
loopback 0 unit 0 ?
2) does that mean, no one can telnet by default on any other phsyical
interface or any other loopbacks units ?




-- 
Taqdir Singh
Network Engineering
(+91) 991-170-9496 | (+91) 801-041-5988

One who asks is a fool for a moment, one who doesn't ask remains fool for
ever
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] telnet access

2010-01-28 Thread Stefan Fouant

 -Original Message-
 From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-
 boun...@puck.nether.net] On Behalf Of Taqdir Singh
 Sent: Thursday, January 28, 2010 7:54 AM
 To: juniper-nsp@puck.nether.net
 Subject: [j-nsp] telnet access

 Hi Team,

 1) in case of juniper, telnet access restriction can only be configured
 on
 loopback 0 unit 0 ?

There are no such restrictions.

 2) does that mean, no one can telnet by default on any other phsyical
 interface or any other loopbacks units ?

In packet mode JUNOS the default is to allow telnet to any interface on the
box.  If you're running SRX or J-Series (with secure flow mode) the default
is to deny telnet on any interfaces.  You would need to configure
host-inbound-services under the respective zone or interface to allow telnet
access on those interfaces.

Stefan Fouant, CISSP, JNCIE-M/T
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] telnet access

2010-01-28 Thread Chris Kawchuk

Telnet can be enabled on any/all IP interfaces. Simply add telnet as a services 
under the [edit system services] stanza.

system {
services {
telnet {
connection-limit 5;
rate-limit 5;
}
}
}

This will allow telnet on every interface.

You might want to also enable the connection limit and rate limit variables, 
to prevent people from brute-forcing password attempts on your device.

The example you may have been looking at, involves how to prevent The 
Internet from telnetting to your router; by placing a filter on lo0 to 
restrict who can make a telnet connection to your device; which involves 
placing a [firewall filter] against interface lo0 unit 0. Interface lo0 
represents the management of the device from the perspective of the transit 
interfaces (i.e. every IP interface but fxp0). 

By default, if you enable telnet in the [edit system services] stanza, anyone 
can telnet to any of the IP addresses on your device. (ge-x/x/x.x interfaces, 
lo0.x loopback interfaces, and the like).

I highly recommend disabling telnet and using ssh instead:

system {
services {
ssh {
root-login deny;
connection-limit 3;
rate-limit 5;
}
}
}

For more information on how to protect your router's in-band management from 
being hacked, Team CYMRU has a nice document to assist you.
the document can be found here: 
http://www.cymru.com/gillsr/documents/junos-template.pdf


Regards,

- Chris.
juniperdude at gmail.com




On 2010-01-28, at 5:54 AM, Taqdir Singh wrote:

 Hi Team,
 
 1) in case of juniper, telnet access restriction can only be configured on
 loopback 0 unit 0 ?
 2) does that mean, no one can telnet by default on any other phsyical
 interface or any other loopbacks units ?
 
 
 
 
 -- 
 Taqdir Singh
 Network Engineering
 (+91) 991-170-9496 | (+91) 801-041-5988
 
 One who asks is a fool for a moment, one who doesn't ask remains fool for
 ever
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] telnet access

Re: [j-nsp] telnet access

Re: [j-nsp] telnet access

Re: [j-nsp] telnet access

4 matches

Site Navigation

Mail list logo

Footer information