3. ssh rate-limit?

ssh rate-limit?

There's a KB for that:

https://www.juniper.net/documentation/en_US/junos11.4/topics/task/configuration/ssh-services-configuring.html

"Configuring SSH Service for Remote Access to the Router or Switch

To configure the router or switch to accept SSH as an access service, include the ssh statement at the [edit system services] hierarchy level:

[edit system services] ssh { ciphers [ cipher-1 cipher-2 cipher-3 ...] client-alive-count-max number; client-alive-interval seconds; connection-limit limit; hostkey-algorithm <algorithm | no-algorithm>; key-exchange algorithm; macs algorithm; max-sessions-per-connection number; no-tcp-forwarding; protocol-version [v1 v2] ; rate-limit limit; root-login <allow | deny | deny-password>; } By default, the router or switch supports a limited number of simultaneous SSH sessions and connection attempts per minute. Use the following statements to change the defaults:

connection-limit limit—Maximum number of simultaneous connections per protocol (IPV4 and IPv6). The range is a value from 1 through 250. The default is 75. When you configure a connection limit, the limit is applicable to the number of SSH sessions per protocol (IPv4 and IPv6). For example, a connection limit of 10 allows 10 IPv6 SSH sessions and 10 IPv4 SSH sessions. max-sessions-per-connection number—Include this statement to specify the maximum number of SSH sessions allowed per single SSH connection. This allows you to limit the number of cloned sessions tunneled within a single SSH connection. The default value is 10. rate-limit limit—Maximum number of connection attempts accepted per minute (a value from 1 through 250). The default is 150. When you configure a rate limit, the limit is applicable to the number of connection attempts per protocol (IPv4 and IPv6). For example, a rate limit of 10 allows 10 IPv6 SSH session connection attempts per minute and 10 IPv4 SSH session connection attempts per minute. For information about other configuration settings, see the following topics:

Configuring the Root Login Through SSH Configuring the SSH Protocol Version Configuring the Client Alive Mechanism Configuring the Root Login Through SSH

By default, users are allowed to log in to the router or switch as root through SSH. To control user access through SSH, include the root-login statement at the [edit systems services ssh] hierarchy level:

[edit system services ssh] root-login (allow | deny | deny-password); allow—Allows users to log in to the router or switch as root through SSH. The default is allow.

deny—Disables users from logging in to the router or switch as root through SSH.

deny-password—Allows users to log in to the router or switch as root through SSH when the authentication method (for example, RSA) does not require a password.

Configuring the SSH Protocol Version

By default, both version 1 and version 2 of the SSH protocol are enabled. To configure the router or switch to use only version 1 of the SSH protocol, include the protocol-version statement and specify v1 at the [edit system services ssh] hierarchy level:

[edit system services ssh] protocol-version [ v1 ]; To configure the router or switch to use only version 2 of the SSH protocol, include the protocol-version statement and specify v2 at the [edit system services ssh] hierarchy level:

[edit system services ssh] protocol-version [ v2 ]; To explicitly configure the router or switch to use version 1 and 2 of the SSH protocol, include the protocol-version statement and specify v1 and v2 at the [edit system services ssh] hierarchy level:

[edit system services ssh] protocol-version [ v1 v2 ]; For J Series Services Routers, the export license software supports SSH version 1 only.

Configuring the Client Alive Mechanism

The client alive mechanism is valuable when the client or server depends on knowing when a connection has become inactive. It differs from the standard keepalive mechanism because the client alive messages are sent through the encrypted channel. The client alive mechanism is not enabled at default. To enable it, configure the client-alive-count-max and the client-alive-interval. This option applies to SSH protocol version 2 only.

In the following example, unresponsive SSH clients will be disconnected after approximately 100 seconds (20 x 5).

[edit system services ssh] client-alive-count-max 5; client-alive-interval 20; Published: 2012-05-01"

/r/Juniper Thread
Previous
Next

Recently removed from /r/Juniper

EX VLAN routing question Firewall Filter - SRX300

More Random Comments

What opinion on Filipino Evangelicals / Born Again Christians will have you like this? I’m making a list counting the most culturally relevant and influential film of every year. Any suggestions? i need support please URGENT East Texas Biden Issues First Veto to Protect Socially Conscious Investing [Trending] Weibo Night 2022 Announces Popularity Award Winners for Each Category Tourist Visa Extension Fees. Is this unclear, or am I just stupid? Do I have to worry about licensing or trademarks or anything if I want to sell paintings of fictional characters? "Millions are dead in Iraq. We actually fought in your damn wars. You sent us to hurt civilians." Army Veteran confronts Biden. Luke Prokop statement on NHL pride night controversies lately MDMA, psilocybin treatments tipped to cost at least $25,000: Winners don't use drugs, they just sell them. Is it me, or is there too many financial advisors and property agents around? How are young Australians going to afford housing? Thoughts on the recent video by Eliot Sang? What are people pretending isn't a problem?