Block Telnet and SSH Access on JUNIPER

  • by

If you want to restrict access to particular source IP then this is the right topics for you. First need to create Allow Rules for IP Block and port. Here I use allowed IP Block 192.168.1.0/24 and allowed port ssh and telent. I am using here the filter name of ” Telnet_SSH_Access” and the term name is “Telnet_SSH_Allow”.

#set firewall family inet filter Telnet_SSH_Access term Telnet_SSH_Allow from address 192.168.1.0/24
#set firewall family inet filter Telnet_SSH_Access term Telnet_SSH_Allow from protocol tcp

#set firewall family inet filter Telnet_SSH_Access term Telnet_SSH_Allow from port ssh
#set firewall family inet filter Telnet_SSH_Access term Telnet_SSH_Allow from port telnet
#set firewall family inet filter Telnet_SSH_Access term Telnet_SSH_Allow then accept

Now you need to create Block Rule. Here I create block all ssh and telnet without IP Block 192.168.1.0/24. And the filter name is same ” Telnet_SSH_Access” and the term name is “Telnet_SSH_Block”. For this configuration only allowed IP is only 192.168.10/24 network, no other ip can access to this router.

#set firewall family inet filter Telnet_SSH_Access term Telnet_SSH_Block from protocol tcp
#set firewall family inet filter Telnet_SSH_Access term Telnet_SSH_Block from port ssh
#set firewall family inet filter Telnet_SSH_Access term Telnet_SSH_Block from port telnet
#set firewall family inet filter Telnet_SSH_Access term Telnet_SSH_Block then log
#set firewall family inet filter Telnet_SSH_Access term Telnet_SSH_Block then reject

Also it require to add another term, which will be allowed rest of the traffic.

#set firewall family inet filter Telnet_SSH_Access term Default_Term then accept

At last you need to Call this filter to Loopback interface. Here I applied to the loopback interface, because, if you applied to loopback interface this restriction policy will be work on all of your router interfaces. On the other hand you can apply to any specific interface, for example; if you dont want to restrict this telnet and SSH to all interface, you just want to restrict only WAN side then you can apply to your WAN interface. But if you want restrict for router access from any outside or inside network then you should apply to loopback interface.

#set interfaces lo0 unit 0 family inet filter input Telnet_SSH_Access

Now, just confirm the configuration with command “# show firewall family inet filter Telnet_SSH_Access” to check the firewall policy and be confirm that permitted IP block is right IP. Because if you are in remote mode and after the commit we will be not able to login via telnet or ssh. So, allow try to make confirm with “show” command.

# show firewall family inet filter Telnet_SSH_Access
term Telnet_SSH_Allow {
    from {
        address {
            192.168.1.0/24;
        }
        protocol tcp;
        port [ telnet ssh ];
    }
    then accept;
}
term Telnet_SSH_Block {
    from {
        protocol tcp;
        port [ telnet ssh ];
    }
    then {
        log;
        reject;
    }
}
term Default_Term {
    then accept;
}

Also check the loopback interface for final confirmation that the created firewall policy is applied to the loopback interface with the command: “show interface lo0”

# show interfaces lo0
unit 0 {
    family inet {
        filter {
            input Telnet_SSH_Access;
        }
    }
}                                    

Leave a Reply