DX - Load Balancing & Application Acceleration
DX - Load Balancing & Application Acceleration

changing dxos ssh server port

‎02-08-2009 05:03 AM

Hello,

 

I have a dx 3200 product. For security reasons we need to change the default admin ssh port 22 to another one.

How can we change it from WEBUI or from command line?

If We cannot change the default ssh port how can we restrict the access ssh to dx loadbalancer to several ip addresses?

 

Thanks,

 

2 REPLIES 2
DX - Load Balancing & Application Acceleration

Re: changing dxos ssh server port

‎02-09-2009 04:50 AM

For SSH access, the DX supports enabling/disabling SSHv1 and/or SSHv2:

 

% show admin ssh
SSH: up
SSHv1: enabled
SSHv2: enabled

 

% set admin ssh
Insufficient arguments.
Possible arguments for "set admin ssh":
down                 disable ssh logins
up                   enable ssh logins
version              configure a particular SSH protocol

 

 

The SSH daemon listens on the admin interface VIP address, if it is configured.   If no explicit VIP is configured, then it will listen on the IP address configured on the admin ether interface.   If the admin interface is not set, then it will listen on all IP addresses - this can be seen with 'netstat -an'.

 

 

a) No admin interface or VIP:

 

% show admin vip
VIP Address:
% show admin interface
Admin Interface:

% netstat -an | grep 22

tcp4       0      0  *.22                   *.*                    LISTEN

 

 

b) Admin Interface configured; no admin VIP (ether0: IP address = 172.26.31.203):

 

% set admin interface ether 0
(*) % write

 

% netstat -an | grep 22

 tcp4       0      0  172.26.31.203.22       *.*                    LISTEN

 

 

 

c) Admin Interface and admin VIP configured:

I add a private subnet to ether0:

 

  % add ether 0 subnet 10.166.166.166 255.255.255.252
(*) % write

 

I then set the admin VIP to the spare IP in this subnet:

 

  % set admin vip 10.166.166.165
(*) % wr

The DX is now listening for port 22 on this address:

 

  tcp4       0      0  10.166.166.165.22      *.*                    LISTEN

 

 

 

As this is a private IP I have no way to route to this address, but I can now set up a SLB group with a routeable address and whatever port I desire and set 10.166.166.165:22 as the target.

 

 

 % add slb group WebUI_SSH 172.26.31.211:2222
Group WebUI_SSH created
(*) set slb group WebUI_SSH target host 10.166.166.165:22

(*) % write

 

 

I can now SSH to the SLB group IP and port:

 

$ ssh -p 2222 172.26.31.211
admin@172.26.31.211's password:

 

 


                          Welcome To Juniper Networks
                                       DX
                       Application Acceleration Platform

 

 

%

 

 

 

 If I try and SSH to the primary ether0 address I now get:

 

$ ssh 172.26.31.203
ssh: connect to host 172.26.31.203 port 22: Operation timed out

 

 

 

Another option is to have a different ether interface on an internal subnet to be the admin interface, so SSH/WebUI connections can only come via this internal network.

 

 

 

 

The DX does not have a way to filter client IPs to SLB groups and Forwarders, clusters can use apprules to block/allow client IP addresses.   It is recommended to use a firewall to filter connections so you can have the granular control with logging.

 

 

 

 

 

 

DX - Load Balancing & Application Acceleration

Re: changing dxos ssh server port

‎02-10-2009 12:08 PM

Just remember that changing the port to something else doesnt really buy you any added security.

 

Security through obscurity is not good security.

 

 

Whether you change the port that you use for ssh or not you should take measures (router acl, etc) to limit access to only authorized management stations.

Announcements

DX SERIES

The Juniper Networks DX application acceleration platform delivers a complete data center acceleration solution for Web-enabled and IP-based business applications.

RSS Icon