Junos
Reply
Visitor
tgoncalves
Posts: 7
Registered: ‎06-28-2012
0
Accepted Solution

ssh/telnet connection-limit behavior

Hi all,

 

Anyone has noted the connection-limit behavior on Junos?

For example, if you want to limit 5 users accessing the router at the same time using protocol ssh or telnet, you will configure under system -> services -> telnet or ssh -> connection-limit 5 command. It will permit 5 users log in the router, but the 6th attempt to log will be "blocked". I mean "blocked" because this 6th attempt will not be drop/reject by the router, but instead Junos keeps this 6th TCP session established (but in a black screen). When one of that 5 users logoff, the prompt login will be displayed to this 6th user.

I'd like to know if there is a way to Junos drop/reject attempted connections that exceeds the limit.

 

 

Thanks,

 

Tiago C. Gonçalves

Distinguished Expert
Distinguished Expert
pk
Posts: 824
Registered: ‎10-09-2008

Re: ssh/telnet connection-limit behavior

Hi Tiago,

 

I don't see such an option you want, but there is another option, rate-limit, which allows you to set maximum number of connections per minute (1..250). Connections exceeding this limit are rejected (session is closed right after opening with a FIN, actually). So if you are concerned about DoS attacks, you can use this option. Also I think you could write a filter on lo0 with a policer for some extra protection, but you should be very careful with it.

Best Regards,
Petr (PK)

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
[Juniper Authorized Education & Support in Russia]
Visitor
tgoncalves
Posts: 7
Registered: ‎06-28-2012
0

Re: ssh/telnet connection-limit behavior

Hi PK,

 

Thanks for the explanation.

 

 

Regards

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.