How to Configure Dual BGP Route Reflectors for Backup
How to Configure and Monitoring IS-IS on Junos Devices
How to Log and Trace Events with Junos OS

How to Tighten the Password on Junos Root Login

During the initial configuration of a new router, you set the root password as a plain-text password. Because the root user is able to perform any and all operations on the router, tightening access to the root login account is a good idea. One way to do so is to configure the root password using SSH key authentication, which is more secure than the plain-text password:

[edit system]
fred@router# set root-authentication ssh-dsa "ssh-dss
       AAAAB3NzaC1kc3MAAACBAMQrfP2bZyBXJ6PC7XXZ+MzErI8Jl6jah5L4/
       O8BsfP2hC7EvRfNoX7MqbrtCX/9gUH9gChVuBCB+ERULMdgRvM5uGhC/
       gs4UX+4dBbfBgKYYwgmisM8EoT25m7qI8ybpl2YZvHNznvO8h7kr4kpYuQEpKvgsTdH/
       Jle4Uqnjv7DAAAAFQDZaqA6QAgbW3O/zveaLCIDj6p0dwAAAIB1iL+krWrXiD8NPpY+
       w4dWXEqaV3bnobzPC4eyxQKBUCOr80Q5YBlWXVBHx9elwBWZwj0SF4hLKHznExnLer
       VsMuTMA846RbQmSz62vM6kGM13HFonWeQvWia0TDr78+
       rOEgWF2KHBSIxL51lmIDW8Gql9hJfD/Dr/NKP97w3L0wAAAIEAr3FkWU8XbYy
       tQYEKxsIN9P1UQ1ERXB3G40YwqFO484SlyKyYCfaz+yNsaAJu2C8UebDIR
       3GieyNcOAKf3inCG8jQwjLvZskuZwrvlsz/xtcxSoAh9axJcdUfSJYMW/
       g+mD26JK1Cliw5rwp2nH9kUrJxeI7IReDp4egNkM4i15o= 
       mike@server"; ## SECRET-DATA

As you can see, this is a lot to type! If you don’t feel like entering so much text, you can also load an SSH key file from a network server:

[edit system]
fred@router# set root-authentication load-key-file server-name:/dir/filename

When SSH is enabled, anyone with the root password or SSH private key can log in as the root user from anywhere on the network. This capability is useful in large networks or when you can’t get physical access to the router.

Generally, however, no one on the network should have any reason to log in to the router using the root account, so you can ratchet up the router security one level by forcing anyone logging in as root to log in directly from the router’s console port. To do so, you disable root login through SSH:

[edit system]
fred@router# set services ssh root-login deny

The console port is enabled by default on Junos routers. Although you can disable it, don’t! The only way you can remain logged in to a router while its rebooting is by connecting to the console port. This is helpful when troubleshooting router problems. Also, if you lose network access to the router, the only way to access the router is to connect a laptop or terminal to the router’s console port.

Password selection is one of the most important ways to protect a router from hackers and other types of unwanted attacks. Be sure that the root and user accounts you create on the router all have passwords and that the passwords are strong:

  • Choose a password that is a combination of uppercase and lowercase letters, digits, and punctuation characters.

  • Choose a password that is a phrase or a shortened version of a phrase that you can easily remember without writing it down.

  • Don’t choose the router vendor name (such as juniper), the string admin, or the string password.

  • Don’t choose an easily guessable password, such as your birthday or spouse’s name.

  • Don’t use a word that’s in a dictionary in any language. Brute-force, automated programs can rapidly try all words in all online dictionaries when attempting to break into a router.

blog comments powered by Disqus
Deal with Network Issues at Layer 3 Using Junos OS
How to Link an Explicit Route to the LSP Using Junos
How to Configure Ethernet CFM across Multiple Domains Using Junos
Junos OS Commands: What Show Route Does
Routers that Run Junos
Advertisement

Inside Dummies.com