Controlling SSH and Telnet Access to the Router
SSH and Telnet are the two common ways for users to access the router. Both require password authentication, either through an account configured on the router or an account set on a centralized authentication server, such as a RADIUS server. Even with a password, Telnet sessions are inherently insecure, and SSH can be attacked by brute-force attempts to guess passwords.
One way to limit the number of people who can log in to the router is to restrict which network systems people can use to connect to the router.
You restrict SSH and Telnet access by creating a firewall filter, which regulates the traffic on a specific interface, deciding what to allow and what to discard. (Firewall filters are discussed in more detail in Chapter 14.) Creating a filter is a two-part process:
- You define the filtering details.
- You apply the filter to a router interface.
Now, when you want to control access to the router, you'd normally need to apply those restrictions to every interface as the router can be contacted through any interface. However, to make things easier, Junos OS allows you to apply firewall filters to the lo0 interface. Firewall filters applied to the lo0 interface affect all traffic destined to the router's control plane, regardless of the interface on which the packet arrived. So to limit SSH and Telnet access to the router, you ...
Get Junos® OS For Dummies®, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
