Friday, November 29, 2013

Restrict SSH access to Management IP address ranges - Juniper EX Switches

People from Cisco world would always wonder that how to restrict ssh access to a Juniper EX switch to fewer hosts or ranges

Here is how you do it..

Add IP address to Loopback interface

set interface lo0 unit 0 family inet address 127.0.0.1/32

Create a filter with allowed hosts or subnets

Term "SSH" permits Source Managements addresses

set firewall family inet filter RE_MANAGEMENT term SSH from source-address 10.80.0.0/21
set firewall family inet filter RE_MANAGEMENT term SSH from protocol tcp
set firewall family inet filter RE_MANAGEMENT term SSH from destination-port ssh
set firewall family inet filter RE_MANAGEMENT term SSH then count allow.ssh
set firewall family inet filter RE_MANAGEMENT term SSH then accept

Term "SSH_BLOCK" denies any other IP addresses trying to SSH to the box

set firewall family inet filter RE_MANAGEMENT term SSH_BLOCK from protocol tcp
set firewall family inet filter RE_MANAGEMENT term SSH_BLOCK from destination-port ssh
set firewall family inet filter RE_MANAGEMENT term SSH_BLOCK then count discard.ssh
set firewall family inet filter RE_MANAGEMENT term SSH_BLOCK then discard

and then a permit all rule

set firewall family inet filter RE_MANAGEMENT term default then accept

In Juniper world all the control traffic is processed via Loopback interfaces even if they were destined on any other interface on switch hence we will apply the filter inbound to Lo0 interface.

set interfaces lo0 unit 0 family inet filter input RE_MANAGEMENT

You can see the couters using below command

show firewall filter RE_MANAGEMENT    

Filter: RE_MANAGEMENT                                          
Counters:
Name                                                Bytes              Packets
allow.ssh                                           38023                  370
discard.ssh                                             0                    0

and thats it !! you're  done...and your switch's ssh access is now protected.

No comments:

Post a Comment