Junos
Junos

ssh/telnet connection-limit behavior

06.28.12   |  
‎06-28-2012 04:29 PM

Hi all,

 

Anyone has noted the connection-limit behavior on Junos?

For example, if you want to limit 5 users accessing the router at the same time using protocol ssh or telnet, you will configure under system -> services -> telnet or ssh -> connection-limit 5 command. It will permit 5 users log in the router, but the 6th attempt to log will be "blocked". I mean "blocked" because this 6th attempt will not be drop/reject by the router, but instead Junos keeps this 6th TCP session established (but in a black screen). When one of that 5 users logoff, the prompt login will be displayed to this 6th user.

I'd like to know if there is a way to Junos drop/reject attempted connections that exceeds the limit.

 

 

Thanks,

 

Tiago C. Gonçalves

2 REPLIES
Junos

Re: ssh/telnet connection-limit behavior

07.05.12   |  
‎07-05-2012 12:41 AM

Hi Tiago,

 

I don't see such an option you want, but there is another option, rate-limit, which allows you to set maximum number of connections per minute (1..250). Connections exceeding this limit are rejected (session is closed right after opening with a FIN, actually). So if you are concerned about DoS attacks, you can use this option. Also I think you could write a filter on lo0 with a policer for some extra protection, but you should be very careful with it.

Best Regards,
PK

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
[Juniper Authorized Education & Support in Russia]
Highlighted
Junos

Re: ssh/telnet connection-limit behavior

07.11.12   |  
‎07-11-2012 11:46 AM

Hi PK,

 

Thanks for the explanation.

 

 

Regards