Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Best Practices for hardening ScreenOS

0

0
Article ID: KB29016 KB Last Updated: 25 Jan 2021Version: 5.0 Summary:

This article describes ways to harden ScreenOS management.

Symptoms:

The goal is to provide recommendations for securing ScreenOS against attacks.

Solution:

Implement the recommendations below to help secure ScreenOS against attacks.

Change the default username and password.

  • Username

Command:

set admin name <name>

Example: 

set admin name a$df@d

  • Password

Command:

set admin password <plain-text password>

Example:

set admin password abcdefgh123

Disable root user login except by direct console

  • Device-wide
  • This limits the root user to only be able to log in via the console port of the device.  All other users can log in to configured services.

Command:

set admin root access console

Enable manager-ip.

  • Device-wide.
  • This limits the IP addresses that are allowed to manage the device. All other management requests are silently dropped.

Command:

set admin manager-ip <ip> <mask>

Example:

set admin manager-ip 10.1.1.30 255.255.255.255

Enable manage-ip.

  • Per interface.
  • This allows management requests to an IP address that is different from the physical IP.

Command:

set interface <interface> manage-ip <ip>

Example:

set interface ethernet0/0 manage-ip 10.1.1.5

Disable the physical interface management.

  • Per interface.
  • This allows managements to be accepted only for requests that are sent the manage-ip (see above).

Command:

unset interface <interface> manageable

Example:

unset interface ethernet0/0 manageable

Disable unused services.

  • Per interface.
  • This permits only the defined services to respond on the interface. Services: ident-reset, mtrace, ping, snmp, ssh, ssl, telnet, web.
  • Recommendation: Permit secure protocols only on management/trusted interfaces (ssl, ssh).

Command:

unset interface <interface> manage
set interface <interface> manage <service>

Example:

unset interface ethernet0/0 manage
set interface ethernet0/0 manage ssh

Change default management port numbers.

  • Device-wide.
  • SSH:

Command:

set admin ssh port <1024-32767>

Example:

set admin ssh port 1024

  • HTTPS:

Command:

set ssl port <1024-32767>

Example:

set ssl port 1026

Modification History:
2020-09-22: Removed telnet and http, as those are non-secure management.
2021-01-21: Content reviewed for accuracy, minor non technical changes.

 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search