Control SSH and Telnet Access to Junos Routers
SSH and Telnet are the two common ways for users to access the router. Both require password authentication, either through an account configured on the router or an account set on a centralized authentication server, such as a RADIUS server. Even with a password, Telnet sessions are inherently insecure, and SSH can be attacked by brute-force attempts to guess passwords.
You restrict SSH and Telnet access by creating a firewall filter, which regulates the traffic on a specific interface, deciding what to allow and what to discard. Creating a filter is a two-part process:
You define the filtering details.
You apply the filter to a router interface.
Now, when you want to control access to the router, you’d normally need to apply those restrictions to every interface as the router can be contacted through any interface. However, to make things easier, Junos OS allows you to apply firewall filters to the loopback (lo0) interface.
Firewall filters applied to the lo0 interface affect all traffic destined to the router’s control plane, regardless of the interface on which the packet arrived. So to limit SSH and Telnet access to the router, you apply the filter to the lo0 interface.
The filter shown in the following process is called limit-ssh-telnet, and it has two parts, or terms. The Junos OS evaluates the two terms sequentially. Traffic that matches the first term is processed immediately, and traffic that fails is evaluated by the second term. Here’s how the process works:
The first term, limit-ssh-telnet, looks for SSH and Telnet access attempts only from devices on the 192.168.0.1/24 subnetwork.
Packets will match this term only if the IP header includes a destination address from the 192.168.0.1/24 prefix, the IP header shows the packet is a TCP packet, and the TCP packet header shows that traffic is headed for the SSH or Telnet destination ports.
If all these criteria are met, the filter’s action is to accept the access attempt and traffic:
[edit firewall] fred@router# set filter limit-ssh-telnet term access-term from source-address 192.168.0.1/24 [edit firewall] fred@router# set filter limit-ssh-telnet term access-term from protocol tcp [edit firewall] fred@router# set filter limit-ssh-telnet term access-term from destination-port [ssh telnet] [edit firewall] fred@router# set filter limit-ssh-telnet term access-term then accept
The second term, called block-all-else, blocks all traffic that does not meet the criteria in Step 1.
You can do this step with a basic reject command. This term contains no criteria to match, so, by default, it’s applied to all traffic that fails the first term:
[edit firewall] fred@router# set filter limit-ssh-telnet term block-all-else term reject
You should track failed attempts to access the router so you can determine whether a concerted attack is underway. The block-all-else term counts the number of failed access attempts. The first command in the next example keeps track of these attempts in a counter named bad-access, logging the packet, and sending information to the syslog process.
[edit firewall] fred@router# set filter limit-ssh-telnet term block-all-else term count bad-access [edit firewall] fred@router# set filter limit-ssh-telnet term block-all-else term count log [edit firewall] fred@router# set filter limit-ssh-telnet term block-all-else term count syslog
Creating a filter is half the process. The second half is to apply it to a router interface, in this case to the router’s loopback interface, lo0:
[edit interfaces] fred@router# set lo0 unit 0 family inet filter input limit-ssh-telnet
You apply the filter as an input filter, which means that the Junos OS applies it to all incoming traffic destined to the control plane.