6.10.7 Ensure Reverse Telnet is Not Set

Information

Cleartext Management Services should be disabled.

Rationale:

Telnet is a remote management protocol that allows users to connect to the command line of a JUNOS router or other device.

Because Telnet transmits all data (including passwords) in cleartext (unencrypted) over the network and provides no assurance of the identity of the hosts involved, it can allow an attacker to gain sensitive configuration, password and other data and is also vulnerable to session hijacking and injection attacks.

This makes Telnet and other unencrypted management applications completely unsuitable for managing network devices and Telnet should be disabled.

Reverse Telnet is a service that can be configured on JUNOS devices, allowing a user to connect via the auxiliary port to the CLI of another device by establishing a Telnet session, on port 2900/TCP by default. Because Telnet is used as the underlying protocol, Reverse Telnet is subject to the same risks and this service should be disabled.

Impact:

Ensure that alternate administrative access using a secure protocol such as SSH or Reverse SSH is provisioned and tested before removing this service in a production environment.

Solution

To disable Reverse Telnet access issue the following command from the [edit system service] hierarchy;

[edit system services]
[email protected]#delete reverse telnet

Default Value:

Reverse Telnet is disabled by default.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|IA-2(1), 800-53|SI-4, CSCv7|9.2, CSCv7|11.5

Plugin: Juniper

Control ID: 6fcaf62e4fd713246b1afaa8d6d815c74a6a6bb3bb827ce9b3407d3dcb8bc21a