I recently noticed that Junos doesn’t set an idle timeout on CLI sessions for newly created user/administrator logins. It doesn’t set an idle timeout (by default) on the default root account either. While this wouldn’t be that much of a concern for most we place analog modems on the console ports of all our remote office Juniper SRX 210Hs. If an engineer or administrator forgets to logout of the console before hanging up with the modem we could have a big security problem. Someone could stumble across our device (by war dialing or accidentally) and they would find themselves logged into a Juniper SRX 210H with full administrator privileges.
Thankfully you can configure an idle timeout for CLI sessions in Junos.
We don’t use the default root account but instead create an admin account for the day to day management and configuration changes. Here are the steps we use to create that admin account;
set system login user admin full-name Administrator set system login user admin uid 100 set system login user admin class super-user set system login user admin authentication plain-text-password password
That leaves us with the following configuration;
user admin { full-name Administrator; uid 100; class super-user; authentication { encrypted-password "*****************************"; ## SECRET-DATA } }
Since the idle-timeout value is set per user class and we can’t modify the default super-user class we had to create a new class called super-user-local. After setting the idle-timeout and permissions we add the user admin to that user class.
set system login class super-user-local idle-timeout 10 set system login class super-user-local super-user-local permissions all set system login user admin class super-user-local
If we look at the configuration after those changes we should be able to see the new user class.
class super-user-local { idle-timeout 10; permissions all; } user admin { full-name Administrator; uid 100; class super-user-local; authentication { encrypted-password "********************************"; ## SECRET-DATA } }
And now lets test it…
[root@linux ~]# telnet vpn-testlab Trying 10.101.203.1... Connected to vpn-testlab (10.1.1.1). Escape character is '^]'. vpn-testlab (ttyp0) login: admin Password: --- JUNOS 10.4R9.2 built 2012-02-02 08:09:42 UTC admin@vpn-testlab> Warning: session will be closed in 5 minutes if there is no activity Warning: session will be closed in 1 minute if there is no activity Warning: session will be closed in 10 seconds if there is no activity Idle timeout exceeded: closing session Connection closed by foreign host.
With that change any CLI sessions that are idle for 10 minutes will be automatically logged out.
I mentioned creating a few screencasts so here’s my first “public” attempt. I’ve created a few private screencasts for my employer from time to time but nothing ever public. Have a look below, feel free to leave any feedback even constructive criticism is welcome. I know that I need to work on my microphone volume and settup. I don’t smoke but you’d never know that by listening to the video with my heaving breathing. Any if you decide to watch why not have a go at counting the number of uhms or ahs?
Cheers!