[j-nsp] telnet access
Hi Team, 1) in case of juniper, telnet access restriction can only be configured on loopback 0 unit 0 ? 2) does that mean, no one can telnet by default on any other phsyical interface or any other loopbacks units ? -- Taqdir Singh Network Engineering (+91) 991-170-9496 | (+91) 801-041-5988 One who asks is a fool for a moment, one who doesn't ask remains fool for ever ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] telnet access
Correct. This is a little different than how you think of security in Cisco ACL's, but think of it as that any services that run on the router itself enter the router's management IP stack on lo0. The folks over at CYRMU have some nice docs on Juniper security such as: http://www.cymru.com/gillsr/documents/junos-template.htm -Scott -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Taqdir Singh Sent: Thursday, January 28, 2010 7:54 AM To: juniper-nsp@puck.nether.net Subject: [j-nsp] telnet access Hi Team, 1) in case of juniper, telnet access restriction can only be configured on loopback 0 unit 0 ? 2) does that mean, no one can telnet by default on any other phsyical interface or any other loopbacks units ? -- Taqdir Singh Network Engineering (+91) 991-170-9496 | (+91) 801-041-5988 One who asks is a fool for a moment, one who doesn't ask remains fool for ever ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] telnet access
-Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- boun...@puck.nether.net] On Behalf Of Taqdir Singh Sent: Thursday, January 28, 2010 7:54 AM To: juniper-nsp@puck.nether.net Subject: [j-nsp] telnet access Hi Team, 1) in case of juniper, telnet access restriction can only be configured on loopback 0 unit 0 ? There are no such restrictions. 2) does that mean, no one can telnet by default on any other phsyical interface or any other loopbacks units ? In packet mode JUNOS the default is to allow telnet to any interface on the box. If you're running SRX or J-Series (with secure flow mode) the default is to deny telnet on any interfaces. You would need to configure host-inbound-services under the respective zone or interface to allow telnet access on those interfaces. Stefan Fouant, CISSP, JNCIE-M/T www.shortestpathfirst.net GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] telnet access
Telnet can be enabled on any/all IP interfaces. Simply add telnet as a services under the [edit system services] stanza. system { services { telnet { connection-limit 5; rate-limit 5; } } } This will allow telnet on every interface. You might want to also enable the connection limit and rate limit variables, to prevent people from brute-forcing password attempts on your device. The example you may have been looking at, involves how to prevent The Internet from telnetting to your router; by placing a filter on lo0 to restrict who can make a telnet connection to your device; which involves placing a [firewall filter] against interface lo0 unit 0. Interface lo0 represents the management of the device from the perspective of the transit interfaces (i.e. every IP interface but fxp0). By default, if you enable telnet in the [edit system services] stanza, anyone can telnet to any of the IP addresses on your device. (ge-x/x/x.x interfaces, lo0.x loopback interfaces, and the like). I highly recommend disabling telnet and using ssh instead: system { services { ssh { root-login deny; connection-limit 3; rate-limit 5; } } } For more information on how to protect your router's in-band management from being hacked, Team CYMRU has a nice document to assist you. the document can be found here: http://www.cymru.com/gillsr/documents/junos-template.pdf Regards, - Chris. juniperdude at gmail.com On 2010-01-28, at 5:54 AM, Taqdir Singh wrote: Hi Team, 1) in case of juniper, telnet access restriction can only be configured on loopback 0 unit 0 ? 2) does that mean, no one can telnet by default on any other phsyical interface or any other loopbacks units ? -- Taqdir Singh Network Engineering (+91) 991-170-9496 | (+91) 801-041-5988 One who asks is a fool for a moment, one who doesn't ask remains fool for ever ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp