Re: [j-nsp] protect ssh and telnet

2016-04-16 Thread Krasimir Avramski
Hey Aaron, file show /var/db/scripts/commit/ifl-addr.slax version 1.0; ns junos = "http://xml.juniper.net/junos/*/junos";; ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";; ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";; import "../import/junos.xsl"; match configuration { var $top

Re: [j-nsp] protect ssh and telnet

2016-04-15 Thread Aaron
Right, that’s what I saw recently when working through a case with JTAC… I need a solution that will… 1 – apply to ONLY my direct/local actual ip addresses on my ACX5048 2 – apply to ONLY routing-instance vrf “one”

Re: [j-nsp] protect ssh and telnet

2016-04-15 Thread Krasimir Avramski
kr...@smartcom.bg] > *Sent:* Friday, April 15, 2016 6:51 AM > *To:* Aaron > *Cc:* Chris Jones ; Juniper-Nsp < > juniper-nsp@puck.nether.net> > > *Subject:* Re: [j-nsp] protect ssh and telnet > > > > Hi Aaron, > > > > Below is commit script which is

Re: [j-nsp] protect ssh and telnet

2016-04-15 Thread Krasimir Avramski
gt; My vrf “one” is where my public/vulnerable ip’s live… >> >> >> >> I don’t need to protect my default core vrf which is all 10.x.x.x and >> that domain is behing a mgmt. net firewall boundary >> >> >> >> Aaron >> >> >> >> F

Re: [j-nsp] protect ssh and telnet

2016-04-15 Thread Roberto Bertó
hat > domain is behing a mgmt. net firewall boundary > > > > Aaron > > > > From: Krasimir Avramski [mailto:kr...@smartcom.bg] > Sent: Friday, April 15, 2016 6:51 AM > To: Aaron > Cc: Chris Jones ; Juniper-Nsp < > juniper-nsp@puck.nether.net> > Subject: Re

Re: [j-nsp] protect ssh and telnet

2016-04-15 Thread Aaron
.x.x.x and that domain is behing a mgmt. net firewall boundary Aaron From: Krasimir Avramski [mailto:kr...@smartcom.bg] Sent: Friday, April 15, 2016 6:51 AM To: Aaron Cc: Chris Jones ; Juniper-Nsp Subject: Re: [j-nsp] protect ssh and telnet Hi Aaron, Below is commit script which is

Re: [j-nsp] protect ssh and telnet

2016-04-15 Thread Krasimir Avramski
ude a > confition or policy somehow to apply the firewall policy to ONLY LOCAL > ROUTES (/32’s) ? that would be nice , so that I would never have to > add/subtract specific ip addresses in this firewall policy. > > > > Aaron > > > > > > > > From: Chris Jone

Re: [j-nsp] protect ssh and telnet

2016-04-13 Thread Aaron
specific ip addresses in this firewall policy. Aaron From: Chris Jones [mailto:ipv6fre...@gmail.com] Sent: Wednesday, April 13, 2016 10:05 AM To: Aaron Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] protect ssh and telnet To answer OPs actual question: What you're loo

Re: [j-nsp] protect ssh and telnet

2016-04-05 Thread Vincent Bernat
❦ 5 avril 2016 11:58 -0400, Phil Shafer  : > Apologies. I shot my mouth off. JUNOS does not currently support > this. And RADIUS, being cleartext, is not suitable. > > LDAP (w/ SSL) would be a better solution, using something like: > > https://github.com/AndriiGrytsenko/openssh-ldap-publi

Re: [j-nsp] protect ssh and telnet

2016-04-05 Thread Saku Ytti
On 5 April 2016 at 21:10, Tom Storey wrote: Hey Tom, > Wouldnt that assume that you always access your REs inband, therefore > only ever connecting to the master? What if you access them out of > band via their ethernet ports. Each RE then needs its own unique key? I don't use on-band MGMT ethe

Re: [j-nsp] protect ssh and telnet

2016-04-05 Thread Tom Storey
Thinking out loud. Wouldnt that assume that you always access your REs inband, therefore only ever connecting to the master? What if you access them out of band via their ethernet ports. Each RE then needs its own unique key? I mean, in theory they probably dont (is there anything to stop multipl

Re: [j-nsp] protect ssh and telnet

2016-04-05 Thread Saku Ytti
On 5 April 2016 at 19:18, Tore Anderson wrote: Hey, > Speaking only for myself, I'd accept server key change only if it's a > device that is known to have been recently replaced/zeroized/etc. I'd > *never* accept a key changing without that being expected for some > reason known in advance. Dep

Re: [j-nsp] protect ssh and telnet

2016-04-05 Thread Tore Anderson
* Saku Ytti > If you want to do this right today, the correct way is to extract > public key in secure manner (What is secure? OOB not really, but maybe > human on-site) and store them in your jump box for user-wide > consumption, and raise alarm if host keys have changed. So who ever is > physica

Re: [j-nsp] protect ssh and telnet

2016-04-05 Thread Phil Shafer
Vincent Bernat writes: >On which attribute can SSH keys be served? Apologies. I shot my mouth off. JUNOS does not currently support this. And RADIUS, being cleartext, is not suitable. LDAP (w/ SSL) would be a better solution, using something like: https://github.com/AndriiGrytsenko/openss

Re: [j-nsp] protect ssh and telnet

2016-04-05 Thread Saku Ytti
On 5 April 2016 at 16:53, Patrick Okui wrote: > I personally take an event that changes the host key the same as having a > new host (irrespective of platform). Usually those events have a human doing > the changes in the similar way that deploying a new one would. > > I therefore apply the same p

Re: [j-nsp] protect ssh and telnet

2016-04-05 Thread Patrick Okui
On 5 Apr 2016, at 14:14 EAT, Saku Ytti wrote: On 5 April 2016 at 13:52, Richard Hartmann wrote: This still sounds as if your CMDB would need to detect that, raise a flag, and then push out new config after being updated; in case of planned maintenance, you could even add that info before the

Re: [j-nsp] protect ssh and telnet

2016-04-05 Thread Saku Ytti
On 5 April 2016 at 14:32, Nathan Ward wrote: Hey, > I agree with you that putting these in the config is probably a solution - > though, backing them up to a RANCID server or whatever might not be ideal? > Not too sure, I’d have to think some more about this. I’d also be worried > about peopl

Re: [j-nsp] protect ssh and telnet

2016-04-05 Thread Saku Ytti
On 5 April 2016 at 13:52, Richard Hartmann wrote: > This still sounds as if your CMDB would need to detect that, raise a > flag, and then push out new config after being updated; in case of > planned maintenance, you could even add that info before the swap. I don't think you can push secret key

Re: [j-nsp] protect ssh and telnet

2016-04-05 Thread Richard Hartmann
Sorry, I assumed a dual-RE setup, not one where you physically swap the RE. This still sounds as if your CMDB would need to detect that, raise a flag, and then push out new config after being updated; in case of planned maintenance, you could even add that info before the swap. Richard _

Re: [j-nsp] protect ssh and telnet

2016-04-05 Thread Saku Ytti
On 5 April 2016 at 13:02, Richard Hartmann wrote: > Isn't a list of valid pubkeys enough? You can toss that into > known_hosts or your equivalent automagically and be done with it. But the keys changes on the router when RE is swapped. So you no longer know it's the same device you've connected

Re: [j-nsp] protect ssh and telnet

2016-04-05 Thread Richard Hartmann
On Tue, Apr 5, 2016 at 11:45 AM, Saku Ytti wrote: > I wish we could make the compromise and have secret keys > stored in config, so that they would survive RE changes. Isn't a list of valid pubkeys enough? You can toss that into known_hosts or your equivalent automagically and be done with it.

Re: [j-nsp] protect ssh and telnet

2016-04-05 Thread Saku Ytti
On 5 April 2016 at 05:23, Phil Shafer wrote: Hey Phil, > Me, I don't even like allowing passwords. JUNOS now supports the > "system services ssh no-passwords" knob to force the use of ssh > keys over text passwords. And your radius server will happily serve > ssh keys. Force the move away fro

Re: [j-nsp] protect ssh and telnet

2016-04-05 Thread Patrick Okui
On 5 Apr 2016, at 5:23 EAT, Phil Shafer wrote: > Aaron writes: >> I'm new to Juniper. and I'm looking to protect ssh/telnet on all interfaces >> on my juniper ACX5048's. > > First comment is: if you want security, don't allow telnet. > Force the use of ssh. > > Me, I don't even like allowing passw

Re: [j-nsp] protect ssh and telnet

2016-04-04 Thread Vincent Bernat
❦ 4 avril 2016 22:23 -0400, Phil Shafer  : > Me, I don't even like allowing passwords. JUNOS now supports the > "system services ssh no-passwords" knob to force the use of ssh > keys over text passwords. And your radius server will happily serve > ssh keys. Force the move away from passwords.

Re: [j-nsp] protect ssh and telnet

2016-04-04 Thread Tim Jackson
Sadly, you guys messed up ACX5k lo0 filtering.. Even though it's a QFX5100/EX4600 inside.. -- Tim On Mon, Apr 4, 2016 at 9:23 PM, Phil Shafer wrote: > Aaron writes: >>I'm new to Juniper. and I'm looking to protect ssh/telnet on all interfaces >>on my juniper ACX5048's. > > First comment is: if y

Re: [j-nsp] protect ssh and telnet

2016-04-04 Thread Phil Shafer
Aaron writes: >I'm new to Juniper. and I'm looking to protect ssh/telnet on all interfaces >on my juniper ACX5048's. First comment is: if you want security, don't allow telnet. Force the use of ssh. Me, I don't even like allowing passwords. JUNOS now supports the "system services ssh no-password

[j-nsp] protect ssh and telnet

2016-04-01 Thread Aaron
I'm new to Juniper. and I'm looking to protect ssh/telnet on all interfaces on my juniper ACX5048's. In Cisco you can protect the virtual interface (vty) with a acl (access-class) so that any remote login attempts (ssh or telnet) or protected. How do I protect ssh and telnet globally in Jun