Switching

last person joined: yesterday 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.

  • 1.  EX4200 - Make SSHD listen on different port

    Posted 06-12-2012 07:06

    Hello,

     

    all our servers were under permanent brute-force SSH attack, until we changed default SSH port 22 to something different.

     

    Now we have several EX4200 under permanent brute-force SSH attack, but I can't find a way to make its SSH daemon listen on different port.

     

    Please, how can I do it? And if I can't, where can I post my "feature request"?

     

    Thank you very much for your help.

    -Petr



  • 2.  RE: EX4200 - Make SSHD listen on different port
    Best Answer

    Posted 06-12-2012 15:39

    This is probably obvious but what about firewalling off port 22 on the perimeter ahead of the switch(es)?

     

    You could also use set system services ssh rate-limit <1..250> to slow things down at least.

     

    Ultimately, aside from filtering out port 22 ahead of the switch(es), the best setup would be a routing engine filter to limit SSH to a known set of IP addresses/networks.

     

    I would imagine that somewhere in the underlying BSD guts of Junos you could modify the SSH port but I wouldn't recommend this as it could break things in unexpected ways if other part of Junos expect port 22 to be SSH.

     



  • 3.  RE: EX4200 - Make SSHD listen on different port

    Posted 06-13-2012 03:21

    You can actually maniplate /etc/inetd.conf and make this work (how well it stays over commit's I'm not sure), but it's of little value as there's enough portscans that go on that it'll be found.

     

    You should seriously consider firewalling the port off both at the edge, and as a loopback acl.