How can I configure to secure my switch from brute force attacks via ssh? Can I configure something like Fail2ban?
How to Configure Juniper EX Switch for Anti-Bruteforcing
juniperjuniper-ex
juniperjuniper-ex
How can I configure to secure my switch from brute force attacks via ssh? Can I configure something like Fail2ban?
Best Answer
Ideally you want to use SSH Key-based authentication and move away from user-based as much as possible, but in areas where I need to use username and password logging, I tend to standardise on the following:
This gives you three guesses at the password, but after the 2nd wrong attempt, it will make you wait 10 seconds before having a third go.
This also stops the
root
account from being able to log in remotely (instead you can escalate toroot
viasu
in the shell later)Be very careful with
set system login retry-options lockout-period
- it does not work per IP as fail2ban does, but instead works by username (which is pretty disappointing for a security feature).This means if someone bruteforces your legitimate username, they will lock your account out continuously and you will be unable to log into your own device.
This raises a final point which is to make your network infrastructure username unique eg: not your email address prefix, and not generic accounts such as
admin
.