How to Configure Juniper EX Switch for Anti-Bruteforcing

juniperjuniper-ex

How can I configure to secure my switch from brute force attacks via ssh? Can I configure something like Fail2ban?

Best Answer

Ideally you want to use SSH Key-based authentication and move away from user-based as much as possible, but in areas where I need to use username and password logging, I tend to standardise on the following:

set system login retry-options backoff-threshold 2
set system login retry-options backoff-factor 10
set system login retry-options tries-before-disconnect 3
set system ssh root-login deny
set system ssh protocol-version v2
set system ssh max-sessions-per-connection 1
set system ssh client-alive-interval 30

This gives you three guesses at the password, but after the 2nd wrong attempt, it will make you wait 10 seconds before having a third go.

This also stops the root account from being able to log in remotely (instead you can escalate to root via su in the shell later)

Be very careful with set system login retry-options lockout-period - it does not work per IP as fail2ban does, but instead works by username (which is pretty disappointing for a security feature).

This means if someone bruteforces your legitimate username, they will lock your account out continuously and you will be unable to log into your own device.

This raises a final point which is to make your network infrastructure username unique eg: not your email address prefix, and not generic accounts such as admin.

Related Topic