6.4.2 Ensure Diagnostic Port Authentication uses a complex password


A complex password should be used to protect access to Diagnostic Port/s


Due to the sensitivity of the routers Diagnostic Port/s a complex password should be employed to help prevent attackers employing 'brute force' or 'dictionary' attacks to gain access through these ports.

Passwords are stored, automatically by JUNOS, as a MD5 hash in the configuration under the [edit system diag-port-authentication] hierarchy.

A complex password should be employed which meets or exceeds the following requirements:

Does not contain Dictionary words, names, dates, phone numbers or addresses.

Is at least 8 characters in length (longer is recommended).

Contains at least one each of upper & lower case letters, numbers and special characters.

Avoids more than 4 digits or same case letters in a row.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.


Configure a password for the diagnostic ports using one of the following commands under the [edit system] hierarchy; To enter a new password in plain text :

[edit system]
user@host#set diag-port-authentication plain-text-password

You will be prompted to enter the new password, which JUNOS will then hash with MD5 before placing the command in the candidate configuration. To enter an existing password hash which you have taken from an existing configuration file, type the following :

[edit system]
user@host#set diag-port-authentication encrypted-password '<MD5 Hash>'

See Also


Item Details


References: 800-53|IA-5, 800-53|IA-5(1), CSCv7|4.2, CSCv7|4.4

Plugin: Juniper

Control ID: f9b2fb6908d1ea0a78a6ec8bc8fa23ae53130255321663ebb555c7f31462c3d0