Junos OS

last person joined: 3 days ago 

Ask questions and share experiences about Junos OS.

  • 1.  SNMP and SSH

    Posted 10-20-2008 04:16

    Dear all,

    i need to configure the following poins on my router..

     

    1. to configure the router as an ssh server to connect to it securely (specifiy specific IPs to connect also)

    2.  cisco command (snmp-server enable traps tty) .. how to make it on juniper

     

    i found some basic configuration regarding this issue, but some details i cant like the TTY issue. 

     

    thanks in advance for your time and efforts.


    #ssh
    #SNMP


  • 2.  RE: SNMP and SSH

    Posted 10-20-2008 05:01

    Hi Arzo

     

    You mention that you have already found some documentation on the topic but I just want to make sure that you have seen the following:

    1) Configuring SSH Service

    2) Configuring SNMP Trap Options and Groups

     

    For SSH access this will work:

     

    lab@router# show system services 
ftp;
ssh;
telnet;

[edit]
lab@router#

     

     

    For basic SNMP trap a configuration as this would already be enough.

     

    lab@router# show snmp    
trap-group public {
    targets {
        10.0.0.1;
    }
}

[edit]
lab@router#

     

     

     



  • 3.  RE: SNMP and SSH
    Best Answer

    Posted 10-20-2008 06:29

    Hi,

     

    AntonD has already provided You valuable informations, but I'd like to add only something about firewalling (to specify who can even try to connect via SSH with your router - I assumed it would be 10.0.0.1 and 10.0.0.2):

     

     

    user@router# set firewall family inet filter RE_FILTER term SSH from source-address 10.0.0.1/32

    user@router# set firewall family inet filter RE_FILTER term SSH from source-address 10.0.0.2/32

    user@router# set firewall family inet filter RE_FILTER term SSH from protocol tcp

    user@router# set firewall family inet filter RE_FILTER term SSH from destination-port 22

    user@router# set firewall family inet filter RE_FILTER term SSH then accept

    user@router# set firewall family inet filter RE_FILTER term SSH_BLOCK from protocol tcp

    user@router# set firewall family inet filter RE_FILTER term SSH_BLOCK from destination-port 22

    user@router# set firewall family inet filter RE_FILTER term SSH_BLOCK then discard

    user@router# set firewall family inet filter RE_FILTER term DEFAULT then accept

     

     

     Then just apply the filter to lo0 interface:

     

     

    user@router# set interfaces lo0 unit 0 family inet filter input RE_FILTER

     

     

    I assumed You have no filters applied to lo0, but if You have any just add term SSH and eventually SSH_BLOCK to your own filter. The filter above cares only about SSH (the rest of protocols is just accepted in the DEFAULT term), so it shouldn't break anything in your network (yet, it's always worth to analyze it and test it by your own).

     

    Hope it helps a bit,

     

    Have a nice day,

     

    G.

    Message Edited by Gniewko on 10-20-2008 04:45 PM


  • 4.  RE: SNMP and SSH

    Posted 10-20-2008 06:53

    thank you G for the great example. i have a small question..

     

    set firewall family inet filter RE_FILTER term DEFAULT then accept

     

    since after the word TERM should be (name).. how can the word default point to ANY other protocol, i didnt got that sorry.



  • 5.  RE: SNMP and SSH

    Posted 10-20-2008 07:13
    @Arzo wrote:

    thank you G for the great example. i have a small question..

     

    set firewall family inet filter RE_FILTER term DEFAULT then accept

     

    since after the word TERM should be (name).. how can the word default point to ANY other protocol, i didnt got that sorry.

    Hi again,

     

    No problem, I'm glad You found it useful.

    You're right, after the 'term' keyword should be name of the term, so 'DEFAULT' in our case is just that - name of the term (I choose DEFAULT to make the purpose of it quite obvious). Then, term can (it is optional) have some 'from' statements to match which packets we're interested in, and 'then' statement to inform what to do with those previously matched packets. If You specify no 'from' conditions, that term would match everything (all protocols, ports, etc; just everything else, not matched in upper terms). Please have a look here to get more infos:

    http://www.juniper.net/techpubs/software/junos/junos92/swconfig-policy/filter-match-conditions.html#id-10829544

     

     

    Have a nice day,

     

    All the best,

    G.

    Message Edited by Gniewko on 10-20-2008 05:14 PM


  • 6.  RE: SNMP and SSH

    Posted 10-20-2008 07:37

    thank you so much G, it was really a stupid question ๐Ÿ™‚ i realized it after i sent you the replay, i found one that i configured once. thanks again. anyway you all gave me a great help, i will paste all my collection for this case hat i finished with your help all so it will be usefull for other members, if you found anything wrong in my configuration please inform.

     

    term everything-else {
                    then accept;

     

    the configuration lines.

     

     

    TACACS PLUS CONFIGERATION:

    set system authentiction-order [tacplus password]

    set system tacplus-server TAC_IP source-address SRC_IP

    set system login user remote full-name "TACACS+ User Template" class super-user

     

    Notes :

    1. tacplus password is better to include, if the router were unable to reach tacacs server, it will authenticate locally, if you dont want that option you can remove it.

    2. the user remote is the templete for tacacs to to access the router. so its mandatory

     

     

    SNMP CONFIGERATION:

    set snmp location WORK

    set snmp contact EMAIL

    set snmp community NAME

    set snmp trap-options source-address lo0

    set snmp trap-group public targets SNMP_SERVER_IP

     

    SSH ACCESS AND FILTERING:

     

    set system services ssh root-login deny-password

    set system services ssh protocol-version v2

    set system services ssh connection-limit 10

    set system services ssh rate-limit 10

     

    set firewall family inet filter RE_FILTER term SSH from source-address 10.0.0.1/32

    set firewall family inet filter RE_FILTER term SSH from source-address 10.0.0.2/32

    set firewall family inet filter RE_FILTER term SSH from protocol tcp

    set firewall family inet filter RE_FILTER term SSH from destination-port 22

    set firewall family inet filter RE_FILTER term SSH then accept

    set firewall family inet filter RE_FILTER term SSH_BLOCK from protocol tcp

    set firewall family inet filter RE_FILTER term SSH_BLOCK from destination-port 22

    set firewall family inet filter RE_FILTER term SSH_BLOCK then discard

    set firewall family inet filter RE_FILTER term everything-else then accept

    set interfaces lo0 unit 0 family inet filter input RE_FILTER

     

    Notes:

    1. Do NOT remove or alter the everything-else term or all connections to the router will stop functioning (BGP, Telnet, NTP, etc.)

    2. root-login deny-password, so root wonโ€™t be access through ssh

     


    #SNMP
    #TACACS+
    #ssh


  • 7.  RE: SNMP and SSH

    Posted 10-20-2008 08:00

    Hi again,

     

    Someone said that there are no stupid questions, so don't worry about it ๐Ÿ™‚

    I'm glad to hear that it is useful for You. Also, big thanks to AntonD cause it was a team work ๐Ÿ™‚

     

    Have a nice day,

     

    All the best,

    Gniewko