Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

NS-5GT JUNIPER

Status
Not open for further replies.
maczen

maczen

Instructor
Apr 12, 2008
1,016
0
0
US
Hello Guys -
New to Juniper and have a quick question...

All ports on my NS-5GT Wireless are stealthed on untrusted (internet) zone except for one.. port 22 (ssh) is showing up as closed when I perform a Shield's up scan..

How do I stealth that port as well?
------------------------------------

I am including my config file... Please let me know if you see anything else that stands out as well... Anything security related that I should tinker with... Thanks

set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "nunya"
set admin password "nonnononnnnonnonno/nono"
set admin mail alert
set admin mail server-name "smtp.some.email.com"
set admin mail mail-addr1 "someone.elses.email.com"
set admin mail traffic-log
set admin auth timeout 10
set admin auth server "Local"
set admin auth banner telnet login "Authorized access only. Violators will be prosecuted to the fullest extent of the law."
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "Wzone1" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "Wzone1" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen alarm-without-drop
set zone "Untrust" screen icmp-flood
set zone "Untrust" screen udp-flood
set zone "Untrust" screen winnuke
set zone "Untrust" screen port-scan
set zone "Untrust" screen ip-sweep
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ip-spoofing
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "Untrust" screen syn-frag
set zone "Untrust" screen tcp-no-flag
set zone "Untrust" screen unknown-protocol
set zone "Untrust" screen ip-bad-option
set zone "Untrust" screen ip-record-route
set zone "Untrust" screen ip-timestamp-opt
set zone "Untrust" screen ip-security-opt
set zone "Untrust" screen ip-loose-src-route
set zone "Untrust" screen ip-strict-src-route
set zone "Untrust" screen ip-stream-opt
set zone "Untrust" screen icmp-fragment
set zone "Untrust" screen icmp-large
set zone "Untrust" screen syn-fin
set zone "Untrust" screen fin-no-ack
set zone "Untrust" screen limit-session source-ip-based
set zone "Untrust" screen syn-ack-ack-proxy
set zone "Untrust" screen block-frag
set zone "Untrust" screen limit-session destination-ip-based
set zone "Untrust" screen component-block zip
set zone "Untrust" screen component-block jar
set zone "Untrust" screen component-block exe
set zone "Untrust" screen component-block activex
set zone "Untrust" screen icmp-id
set zone "Untrust" screen ip-spoofing drop-no-rpf-route
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "wireless1" zone "Wzone1"
set interface "wireless2" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip x.x.x.x/xx
set interface trust nat
set interface wireless2 ip x.x.x.x/xx
set interface wireless2 nat
set interface untrust ip x.x.x.x/xx
set interface untrust route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface wireless2 ip manageable
set interface untrust ip manageable
set interface trust manage mtrace
set interface untrust dhcp client enable
set interface trust dhcp server service
set interface wireless2 dhcp server service
set interface trust dhcp server auto
set interface wireless2 dhcp server auto
set interface trust dhcp server option dns1 x.x.x.x
set interface trust dhcp server option dns2 x.x.x.x
set interface wireless2 dhcp server option dns1 x.x.x.x
set interface wireless2 dhcp server option dns2 x.x.x.x
set interface trust dhcp server ip x.x.x.x to x.x.x.x
set interface wireless2 dhcp server ip x.x.x.x to x.x.x.x
unset interface trust dhcp server config next-server-ip
unset interface wireless2 dhcp server config next-server-ip
set flow tcp-mss
unset flow tcp-syn-check

set webauth banner success "Authorized access only. Violators will be prosecuted to the fullest extent of the law."
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set attack db sigpack base
set attack db mode Update
set attack db schedule daily x:x
set url protocol websense
exit
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
set policy id 1
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set scp enable
set config lock timeout 5
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set wlan channel auto
set wlan acl xxxxx allow
set ssid name xxxxxxxx
set ssid xxxxxxxx authentication wpa-psk passphrase xxxxxxxxxxxxxxx== encryption aes
set ssid xxxxxxxx interface wireless2
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

B Haines
CCNA R&S, ETA FOI
 
Sort by date Sort by votes
Well, Doea nyone see any security concerns with this setup?

B Haines
CCNA R&S, ETA FOI
 
Upvote 0 Downvote
run
set interface untrust ip manageable
and the port should disappear as well


(there should be no reason to leave your management port open on the internet, unless you combine this setting with providing manager-ip's)



---------------------------------------------------------------------
Blog : Free tools :
 
Upvote 0 Downvote
Thanks a million!

B Haines
CCNA R&S, ETA FOI
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

r15gsy
  • Locked
  • Question
Juniper ns5gt internet keeps being stopped
Replies
1
Views
33
r15gsy
r15gsy
visal9
  • Locked
  • Question
How to access to Public IP through Sonicwall NSA 250m
Replies
0
Views
24
visal9
visal9
thedivaofsteel
  • Locked
  • Question
Adding another Network to our Sonicwall NSA 3500 and existing VPN
Replies
1
Views
27
jkupski
jkupski
DotNetNewbie
  • Locked
  • Question
NSA220 wireless N - Wireless users cannot see wireless printer
Replies
1
Views
33
DotNetNewbie
DotNetNewbie
go4th
  • Locked
  • Question
How to determine Juniper Firewall 550M Junos Release level
Replies
0
Views
13
go4th
go4th

Part and Inventory Search

Sponsor

Back
Top