On 03/04/11 02:13, Jesus Alvarez wrote: > It should be trivial to implement a configurable SSH port in the Junos
True. > firmware and this would help in securing the router. Practically all I doubt it. > scanners attempt SSH logins when port 22 is available but very few check > all available ports. It is surprising that Juniper does not provide a > way to change the SSH port. In my experience if you change the port all that happens is the really simple scans go away, but anything the least bit "smart" is still there. The way to stop SSH being an issue is: 1. If possible firewall the port to allow known management traffic only. Obviously most networks need to leave a few bounce hosts for emergencies, but these can be *nix hosts that can run fail2ban or similar 2. Disable root auth (*especially* with JunOS, I find I need a root [not super-user] shell roughly once a year, and "start shell; su" takes care of that) 3. Disable password auth. As long as you don't trust any known compromised keys (Debian SSL bug bites again) this stops everything.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
