thank you so much G, it was really a stupid question ๐ i realized it after i sent you the replay, i found one that i configured once. thanks again. anyway you all gave me a great help, i will paste all my collection for this case hat i finished with your help all so it will be usefull for other members, if you found anything wrong in my configuration please inform.
term everything-else {
then accept;
the configuration lines.
TACACS PLUS CONFIGERATION:
set system authentiction-order [tacplus password]
set system tacplus-server TAC_IP source-address SRC_IP
set system login user remote full-name "TACACS+ User Template" class super-user
Notes :
1. tacplus password is better to include, if the router were unable to reach tacacs server, it will authenticate locally, if you dont want that option you can remove it.
2. the user remote is the templete for tacacs to to access the router. so its mandatory
SNMP CONFIGERATION:
set snmp location WORK
set snmp contact EMAIL
set snmp community NAME
set snmp trap-options source-address lo0
set snmp trap-group public targets SNMP_SERVER_IP
SSH ACCESS AND FILTERING:
set system services ssh root-login deny-password
set system services ssh protocol-version v2
set system services ssh connection-limit 10
set system services ssh rate-limit 10
set firewall family inet filter RE_FILTER term SSH from source-address 10.0.0.1/32
set firewall family inet filter RE_FILTER term SSH from source-address 10.0.0.2/32
set firewall family inet filter RE_FILTER term SSH from protocol tcp
set firewall family inet filter RE_FILTER term SSH from destination-port 22
set firewall family inet filter RE_FILTER term SSH then accept
set firewall family inet filter RE_FILTER term SSH_BLOCK from protocol tcp
set firewall family inet filter RE_FILTER term SSH_BLOCK from destination-port 22
set firewall family inet filter RE_FILTER term SSH_BLOCK then discard
set firewall family inet filter RE_FILTER term everything-else then accept
set interfaces lo0 unit 0 family inet filter input RE_FILTER
Notes:
1. Do NOT remove or alter the everything-else term or all connections to the router will stop functioning (BGP, Telnet, NTP, etc.)
2. root-login deny-password, so root wonโt be access through ssh
#SNMP#TACACS+#ssh