Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuration Guidelines for Securing Console Port Access

 

We recommend disabling the console port to prevent unauthorized access to the device.

Securing Console Port

You can use the console port on the device to connect to the device through an RJ-45 serial cable. From the console port, you can use the CLI to configure the device. By default, the console port is enabled. To secure the console port, you can configure the device to take the following actions:

  • Log out of the console session when you unplug the serial cable connected to the console port.

  • Disable root login connections to the console. This action prevents a non-root user from performing password recovery operation using the console.

  • Disable the console port. We recommend disabling the console port to prevent unauthorized access to the device, especially when the device is used as customer premises equipment (CPE) and is forwarding sensitive traffic.

    Note

    It is not always possible to disable the console port, because console access is important during operations such as software upgrades.

    Warning

    On SRX SRX300, SRX320, SRX340, and SRX345 devices, if both set system ports console insecure and set chassis routing-engine bios uninterrupt options are configured, there is no alternative recovery method available incase Junos OS fails to boot and the device might become unusable.

To secure the console port:

  1. Do one of the following:
    • Disable the console port. Enter

    • Disable root login connections to the console. Enter

      Note

      After configuring the console port as insecure, if a user tries to perform password recovery operation by booting in single-user mode, the device will prompt for the root password. This way, the user will be unable to log in to single-user mode for password recovery unless the root password is known.

    • Log out the console session when the serial cable connected to the console port is unplugged. Enter

    Note

    The log-out-on-disconnect statement is not operational on SRX1500, SRX4100, SRX4200, and SRX4600 devices; on these devices, you must manually log out from the console with the request system logout command.

  2. If you are done configuring the device, enter commit from configuration mode.

Securing Mini-USB Ports

SRX320, SRX320, SRX340, and SRX345 devices have a mini-USB Type-B port. You can connect your management device to the Mini-USB Type-B console port for CLI management.

You can disable mini-USB ports on the SRX Series devices to block users from connecting a USB mass storage device to the services gateway. When you disable the device, any transactions in progress on the USB device are aborted.

Disable mini-USB ports.

  • Use the following command to disable the mini-USB ports.

Enable mini-USB ports.

  • Use the following command to enable the mini-USB ports.

    This step re-enables the disabled mini-USB ports.

Verify the status of the mini-USB.

  • Use the following show command to verify the status.

    The output displays the current status of USB mass storage device and whether the USB ports are enabled or disabled.

Related Documentation