SRX

hey guys is it possibile to change the SSH port for the SRX?

Thanks

Yes - the box contains a whole slew of pre-defined applications. If you do a "show application" you won't see them but you can edit them:

They are referred to by the name of "junos-appname" IE - junos-ssh

Example:

root@ITG_SRX# edit applications application junos-ssh

[edit applications application junos-ssh]
root@ITG_SRX# set destination-port 44

Will change the SSH port to port 44

thank you for your reply accepted solution

Hi,

I think you are talking about different things. It is not possible to change SSH port for management access to the box! I think that was the question. Redifining application would not help in this case.

Kind Regards

Michael Pergament

Is there a way to change the management SSH port?

sorry for the double post but what is the difference between ssh and junos-ssh

Hi,

no there is no "supported" way to do so.

1) SSH server is running locally if you enable service SSH under "system services". You cannot change port on which is running.

2) ssh-junos is service definition which can be used in security policies

Kind Regards

Michael

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.

So the only way to SSH into an SRX is through port 22? It is not possible to change it to any higher port?

Exactly.

Kind Regards

Michael Pergament

thank you accepted soution

guys I have a problem I need to have ssh packets go to a specific server within my trusted network. We use port 20 to port forward all SSH requests but I still want access to my SSH management interface.

any ideas on what I can do? thanks

You need to have at least 2 IP addresses then, one for management, one for NAT.

Anyways, this is quite a problem for two reasons.

First, this same small-business scenario, where you have just one public IP address and you need to use this same address for remote management.

Secondly, if you need to allow SSH access from 0.0.0.0/0 and you run it on port 22, you get SSH brute-force traffic 24*7*365 - who needs this?

Someone should report this as a bug or feature request, now that junos runs on SOHO devices like srx100, we need to have support for seamless in-band management.

Couldn't you just add a "Port nn" statement to the sshd_config?

uhh sorry for digging this up

at least on srx sshd is started by inetd, so you should modify /etc/inetd.conf from

______________________________________________________________________
login stream tcp/rt=__juniper_private1__ nowait/75/150 root /usr/libexec/rlogind rlogind 
shell stream tcp/rt=__juniper_private1__ nowait/75/1500 root /usr/libexec/rshd rshd # 
ssh stream tcp nowait/75/150 root /usr/sbin/sshd sshd -i -f /var/etc/sshd_conf 
ssh stream tcp6 nowait/75/150 root /usr/sbin/sshd sshd -i -f /var/etc/sshd_conf to ______________________________________________________________________ 
login stream tcp/rt=__juniper_private1__ nowait/75/150 root /usr/libexec/rlogind rlogind 
shell stream tcp/rt=__juniper_private1__ nowait/75/1500 root /usr/libexec/rshd rshd # 
2222 stream tcp nowait/75/150 root /usr/sbin/sshd sshd -i -f /var/etc/sshd_conf 
2222 stream tcp6 nowait/75/150 root /usr/sbin/sshd sshd -i -f /var/etc/sshd_conf

accepting this traffic is another thing, maybe defining system applications will do ?
--
Lazy

This looks like an interesting solution, however, I did not find a way to define a system application which can be used to allow traffic to the alternate port, maybe someone can point out how to do this?

Also, how do I store changes to the inetd.conf file permanently?

Im sure what ytou could do is:

1 - define a loopback interface.

2. define a destination nat rule to forward traffic on the untrusted interface on the desired port to the loopback interface on port 22.

original = untrust interface IP:2222 -> Natted= loopback IP:22

obviously you will need to allow SSH an an inbound service on the security zone to which the loopback is assigned.

And you will need a security policy to allow the natted traffic through.

I haven't actually done it, but in theory it should work.

I tested this as mentioned in my previous post and it works fine.

Thank you, Junspert.

I know this is an old article but I tried this solution and it worked perfectly.