Junos
Reply
Contributor
Arzo
Posts: 171
Registered: ‎11-12-2007
0
Accepted Solution

SNMP and SSH

Dear all,

i need to configure the following poins on my router..

 

1. to configure the router as an ssh server to connect to it securely (specifiy specific IPs to connect also)

2.  cisco command (snmp-server enable traps tty) .. how to make it on juniper

 

i found some basic configuration regarding this issue, but some details i cant like the TTY issue. 

 

thanks in advance for your time and efforts.

Tariq Morad
Super Contributor
AntonD
Posts: 111
Registered: ‎11-07-2007

Re: SNMP and SSH

Hi Arzo

 

You mention that you have already found some documentation on the topic but I just want to make sure that you have seen the following:

1) Configuring SSH Service

2) Configuring SNMP Trap Options and Groups

 

For SSH access this will work:

 

lab@router# show system services ftp; ssh; telnet; [edit] lab@router#

 

 

For basic SNMP trap a configuration as this would already be enough.

 

lab@router# show snmp trap-group public { targets { 10.0.0.1; } } [edit] lab@router#

 

 

 

Trusted Contributor
Gniewko
Posts: 67
Registered: ‎04-14-2008

Re: SNMP and SSH

[ Edited ]

Hi,

 

AntonD has already provided You valuable informations, but I'd like to add only something about firewalling (to specify who can even try to connect via SSH with your router - I assumed it would be 10.0.0.1 and 10.0.0.2):

 

 

user@router# set firewall family inet filter RE_FILTER term SSH from source-address 10.0.0.1/32

user@router# set firewall family inet filter RE_FILTER term SSH from source-address 10.0.0.2/32

user@router# set firewall family inet filter RE_FILTER term SSH from protocol tcp

user@router# set firewall family inet filter RE_FILTER term SSH from destination-port 22

user@router# set firewall family inet filter RE_FILTER term SSH then accept

user@router# set firewall family inet filter RE_FILTER term SSH_BLOCK from protocol tcp

user@router# set firewall family inet filter RE_FILTER term SSH_BLOCK from destination-port 22

user@router# set firewall family inet filter RE_FILTER term SSH_BLOCK then discard

user@router# set firewall family inet filter RE_FILTER term DEFAULT then accept

 

 

 Then just apply the filter to lo0 interface:

 

 

user@router# set interfaces lo0 unit 0 family inet filter input RE_FILTER

 

 

I assumed You have no filters applied to lo0, but if You have any just add term SSH and eventually SSH_BLOCK to your own filter. The filter above cares only about SSH (the rest of protocols is just accepted in the DEFAULT term), so it shouldn't break anything in your network (yet, it's always worth to analyze it and test it by your own).

 

Hope it helps a bit,

 

Have a nice day,

 

G.

Message Edited by Gniewko on 10-20-2008 04:45 PM
Contributor
Arzo
Posts: 171
Registered: ‎11-12-2007
0

Re: SNMP and SSH

thank you G for the great example. i have a small question..

 

set firewall family inet filter RE_FILTER term DEFAULT then accept

 

since after the word TERM should be (name).. how can the word default point to ANY other protocol, i didnt got that sorry.

Tariq Morad
Trusted Contributor
Gniewko
Posts: 67
Registered: ‎04-14-2008
0

Re: SNMP and SSH

[ Edited ]

Arzo wrote:

thank you G for the great example. i have a small question..

 

set firewall family inet filter RE_FILTER term DEFAULT then accept

 

since after the word TERM should be (name).. how can the word default point to ANY other protocol, i didnt got that sorry.


Hi again,

 

No problem, I'm glad You found it useful.

You're right, after the 'term' keyword should be name of the term, so 'DEFAULT' in our case is just that - name of the term (I choose DEFAULT to make the purpose of it quite obvious). Then, term can (it is optional) have some 'from' statements to match which packets we're interested in, and 'then' statement to inform what to do with those previously matched packets. If You specify no 'from' conditions, that term would match everything (all protocols, ports, etc; just everything else, not matched in upper terms). Please have a look here to get more infos:

http://www.juniper.net/techpubs/software/junos/junos92/swconfig-policy/filter-match-conditions.html#id-10829544

 

 

Have a nice day,

 

All the best,

G.

Message Edited by Gniewko on 10-20-2008 05:14 PM
Contributor
Arzo
Posts: 171
Registered: ‎11-12-2007
0

Re: SNMP and SSH

thank you so much G, it was really a stupid question :smileyhappy: i realized it after i sent you the replay, i found one that i configured once. thanks again. anyway you all gave me a great help, i will paste all my collection for this case hat i finished with your help all so it will be usefull for other members, if you found anything wrong in my configuration please inform.

 

term everything-else {
                then accept;

 

the configuration lines.

 

 

TACACS PLUS CONFIGERATION:

set system authentiction-order [tacplus password]

set system tacplus-server TAC_IP source-address SRC_IP

set system login user remote full-name "TACACS+ User Template" class super-user

 

Notes :

1. tacplus password is better to include, if the router were unable to reach tacacs server, it will authenticate locally, if you dont want that option you can remove it.

2. the user remote is the templete for tacacs to to access the router. so its mandatory

 

 

SNMP CONFIGERATION:

set snmp location WORK

set snmp contact EMAIL

set snmp community NAME

set snmp trap-options source-address lo0

set snmp trap-group public targets SNMP_SERVER_IP

 

SSH ACCESS AND FILTERING:

 

set system services ssh root-login deny-password

set system services ssh protocol-version v2

set system services ssh connection-limit 10

set system services ssh rate-limit 10

 

set firewall family inet filter RE_FILTER term SSH from source-address 10.0.0.1/32

set firewall family inet filter RE_FILTER term SSH from source-address 10.0.0.2/32

set firewall family inet filter RE_FILTER term SSH from protocol tcp

set firewall family inet filter RE_FILTER term SSH from destination-port 22

set firewall family inet filter RE_FILTER term SSH then accept

set firewall family inet filter RE_FILTER term SSH_BLOCK from protocol tcp

set firewall family inet filter RE_FILTER term SSH_BLOCK from destination-port 22

set firewall family inet filter RE_FILTER term SSH_BLOCK then discard

set firewall family inet filter RE_FILTER term everything-else then accept

set interfaces lo0 unit 0 family inet filter input RE_FILTER

 

Notes:

1. Do NOT remove or alter the everything-else term or all connections to the router will stop functioning (BGP, Telnet, NTP, etc.)

2. root-login deny-password, so root won’t be access through ssh

 

Tariq Morad
Trusted Contributor
Gniewko
Posts: 67
Registered: ‎04-14-2008
0

Re: SNMP and SSH

Hi again,

 

Someone said that there are no stupid questions, so don't worry about it :smileyhappy:

I'm glad to hear that it is useful for You. Also, big thanks to AntonD cause it was a team work :smileyhappy:

 

Have a nice day,

 

All the best,

Gniewko

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.