Junos OS

last person joined: 6 days ago 

Ask questions and share experiences about Junos OS.

  • 1.  Disable SSH on outside interface

    Posted 05-06-2014 16:52

    I would like to disable SSH access from the outside on my SRX220H

     

    I found this article, however being new to Juniper devices I can't seem to find where to configure this information.  Could someone please tell me how this is accomplished?  I have GUI and SSH access from the LAN if needed.

     

    http://forums.juniper.net/t5/Day-One-Tips-Contest/Technique-Securing-routing-engine-for-out-of-band-management/m-p/65704/thread-id/158

     

    Thank you!

    Rob Miller

    My Custom IT

     



  • 2.  RE: Disable SSH on outside interface

    Posted 05-06-2014 17:30

    By default simply not defining ssh as a system service on the outside inteface will mean that the traffic will be denied. This would be part of the zone definition.



  • 3.  RE: Disable SSH on outside interface
    Best Answer

    Posted 05-07-2014 04:46

    The technique I wrote in the tips section is primarily usefull to restrict by source address on an SRX.  You would use this type of filter on an internet facing interface if you want SSH/SSL to be available on the internet and restrict which source addresses are able to use the service.  This prevents anyone on the internet from being able to attempt to access the SRX.

     

    You would apply the filter then at the interface being protected.

     

    The SRX has the concept of zone and interface bases host services as Kevin mentions.  If you want SSH/SSL off entirely for the internet interface then just remove this service from:

     

    Security -- Zones -- Security Zone -- Untrust-- host-inbound-traffic--system services

     

    http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-swconfig-security/topic-41194.html

     

    On switches or packet based routers that don't have the security stanza, then the example I posted is used as it is shown.



  • 4.  RE: Disable SSH on outside interface

    Posted 05-13-2014 15:55

    Thanks, I have removed SSH from the interface.  I tried to hit it from the outside and it rejected it but is there another way to verify for sure that it is closed?

     

    Thank you

    Rob



  • 5.  RE: Disable SSH on outside interface

    Posted 05-14-2014 16:24

    The only verification that I can think of from the firewall side is the test you have run and confirming that the configuration has removed ssh.

     

    If both of these have been verified you should be good.

     

    There are tools like nmap and metasploit that you could also try to do more active probing.