JunOS Hardening

Home‎ > ‎

This page will contain notes on securing a Juniper JunOS device. Based on DISA STIG for Juniper Junos.

Contents

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Related to DISA STIG NET0400 - Interior routing protocols are not authenticated.
OSPFv2 uses MD5 and OSPFv3(IPv6) uses IPSec (DES3,AES).

set protocols ospf area 0.0.0.0 interface em0.0 authentication md5 1 key "$9$FYPx3tOylMWxdWLkPfQCAxNdV4Z.PQz6Az3vLXN2g69AtIcWLN"

Related to DISA STIG NET-IPV6-059 Maximum hop limit is less than 32.

set protocols router-advertisement interface em0.0 max-advertisement-interval 32

Related to DISA STIG NET-IPV6-034 - IPv6 Egress Outbound Spoofing Filter

set routing-options forwarding-table unicast-reverse-path active-paths

Related to DISA STIG NET-IPV6-025 - IPv6 Site Local Unicast ADDR must not be defined.

delete interfaces em0 unit 0 family inet6 address FFC0::1/10

Related to DISA STIG NET0340 - Login banner is non-existent or not DOD approved.

set system login message "test banner page"

Related to DISA STIG NET1647 - The network element must not allow SSH Version 1.

set system services ssh protocol-version v2

Related to DISA STIG NET1646 - SSH login attempts value is greater than 3.

set system login retry-options tries-before-disconnect 3

Related to DISA STIG NET0580 - Password required on the JUNOS diagnostic port.

set system diag-port-authentication plain-text-password

For auditing purposes check the configuration for "encrypted-password"

system {

diag-port-authentication {

encrypted-password "$1$86g42opl$aoQ8ZkzJ6YvUryTq9YJWd/"; ## SECRET-DATA

}

Related to DISA STIG NET-1645 SSH session timeout is not 60 seconds or less.

set

Related to DISA STIG

set

Comments

home	Search this site