InformationPrevent remote access to the Root user account on the device.
During normal operation, remote access to the Root user should not be required.
Because the Root user account has full access to the router and underlying BSD OS it is an extremely valuable target for attackers and must be protected from remote exploitation.
By disabling remote access to the Root user account we ensure that physical access to the console port is required in order to gain this level of access.
Root access only needs to be disabled for SSH connections, as it is never allowed over a Telnet or other remote access session.
SolutionTo disable remote access to the Root account issue the following command from the [edit system services ssh] hierarchy:
[edit system services ssh]
[email protected]#set root-login deny
By default, if SSH is enabled, remote login with the Root account is permitted.