6.10.1.5 Ensure Remote Root-Login is denied via SSH

Information

Prevent remote access to the Root user account on the device.

Rationale:

During normal operation, remote access to the Root user should not be required.

Because the Root user account has full access to the router and underlying BSD OS it is an extremely valuable target for attackers and must be protected from remote exploitation.

By disabling remote access to the Root user account we ensure that physical access to the console port is required in order to gain this level of access.

Root access only needs to be disabled for SSH connections, as it is never allowed over a Telnet or other remote access session.

Solution

To disable remote access to the Root account issue the following command from the [edit system services ssh] hierarchy:

[edit system services ssh]
[email protected]#set root-login deny

Default Value:

By default, if SSH is enabled, remote login with the Root account is permitted.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

References: 800-53|AC-2, 800-53|IA-2(1), CSCv7|4, CSCv7|11.5

Plugin: Juniper

Control ID: 25caff0d92bb28d3a43c97f3798431b8721d339820362cc09e75aab35e0d3991