Best Security Practices for Remote Access (Secure Shell) in Cisco and Juniper Devices

1.Remote access should be via SSH and telnet is disabled
IOS-XR:
no telnet ipv4 server

Nexus OS:
no feature telnet
feature ssh
feature tacacs+

JunOS:
delete system services 

 

2. SSH should be version 2 or higher. Do not run v1.
IOS-XR:
ssh server v2
ssh server vrf management

Nexus OS:
ssh server v2
ssh server vrf management
ssh timeout 60

JunOS:
set system services ssh protocol-version v2

3. Configure SSH logging 

IOS-XR:
ssh server logging

4. Configure Login Banner

IOS-XR:
banner login ^C

*************************************************************************

        UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED

You must have explicit, authorized permission to access or configure this 

device.Unauthorized attempts and actions to access or use this system may

result in civil and/or criminal penalties. 

All activities performed on this device are logged and monitored.

*************************************************************************

^C

Nexus OS:

banner motd ^

*************************************************************************

        UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED

You must have explicit, authorized permission to access or configure this 

device.Unauthorized attempts and actions to access or use this system may

result in civil and/or criminal penalties. 

All activities performed on this device are logged and monitored.

*************************************************************************

^

JunOS:

set system login message "\n*************************************************************************\n       UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED\n\nYou must have explicit, authorized permission to access or configure this \ndevice.Unauthorized attempts and actions to access or use this system may \nresult in civil and/or criminal penalties.\nAll activities performed on this device are logged and monitored.\n\n*************************************************************************\n\n"

For more info, pls. refer to this --> https://mynetworkbio.blogspot.com/2020/06/configuring-banner-or-login-message-in.html

5. Configure   timestamp, login authentication (exec and session) timeout, ssh only transport input, with ACL configured to allow only authorized IPs and secret password in case tacacs/radius is down

IOS-XR:

line default
 secret 5 $1$dAr.$win1P9yOuG1CSvO6v8tAL4
 login authentication default
 timestamp
 exec-timeout 5 0
 access-class ingress SSH-ACCESS
 session-timeout 5
 transport input ssh
 

ipv4 access-list SSH-ACCESS
 10 permit tcp host 192.168.1.100 any eq ssh
 20 permit tcp host 192.168.1.101 any eq ssh
 30 deny ipv4 any any log
 

 Nexus OS:
interface mgmt0
  ip access-group SSH-ACCESS in
  vrf member management
  ip address 192.168.10.100/24

ip access-list SSH-ACCESS
  10 permit tcp 192.168.1.100/32 any eq 22
  20 permit tcp 192.168.1.101/32 any eq 22
  30 deny ip any any log

line vty
  exec-timeout 5
  access-class SSH-ACCESS in

 6. SSH inactivity timeout should be configured
IOS-XR:
ssh timeout 60

7. Enforce 2FA(2-factor authentication) and configure centralized AAA. Complex password/passphrase should be enforce in Tacacs/Radius Servers.

IOS-XR:
aaa authorization exec default group TACACS group tacacs+ none
aaa authorization commands default group TACACS group tacacs+ none
aaa authorization eventmanager default group tacacs+
aaa authentication login default group TACACS group tacacs+ local

aaa group server tacacs+ TACACS
 vrf management
 server-private 192.168.1.111 port 49
  key 7 143413081E1E0B203F3F213A

 Nexus OS:

aaa authentication login default group tacacs
aaa authentication login console group tacacs
aaa authorization config-commands default group tacacs local
aaa authorization commands default group tacacs local
aaa accounting default group tacacs

tacacs+ distribute
ip tacacs source-interface mgmt0
tacacs-server host 192.168.1.111 key 7 "enc_ryptedkey"
tacacs+ commit

JunOS:

set system authentication-order tacplus
set system tacplus-server 192.168.1.111 routing-instance mgmt_junos
set system tacplus-server 192.168.1.111 secret "$9$Gq.5WLGi.56/veLHvYJZjkmTGDLN4oWLXV"
set system tacplus-server 192.168.1.111 timeout 30
set system tacplus-server 192.168.1.111 single-connection
set system tacplus-server 192.168.1.111 source-address 192.168.1.2

set system accounting destination tacplus server 192.168.1.111 secret "$9$-4dHm8XUGiqPQT/9M8Xxb2Z2aZGi.mT"
set system accounting destination tacplus server 192.168.1.111 single-connection
set system accounting destination tacplus server 192.168.1.111 source-address192.168.1.2

For more info, pls. refer to this --> https://mynetworkbio.blogspot.com/2019/08/tacacs-aaa-configuration-in-juniper-and.html

8. Configure control-plane management for SSH if possible

IOS-XR:

control-plane
 management-plane
  out-of-band
   interface MgmtEth0/RP0/CPU0/0
    allow SSH peer
     address ipv4 192.168.1.100
     address ipv4 192.168.1.101

JunOS:

set firewall family inet filter IPv4-PROTECT-RE term SSH from source-prefix-list ALLOWED-IP
set firewall family inet filter IPv4-PROTECT-RE term SSH from protocol tcp
set firewall family inet filter IPv4-PROTECT-RE term SSH from port ssh
set firewall family inet filter IPv4-PROTECT-RE term SSH then count SSH
set firewall family inet filter IPv4-PROTECT-RE term SSH then accept

set policy-options prefix-list ALLOWED-IP 192.168.1.100/32
set policy-options prefix-list ALLOWED-IP 192.168.1.101/32