Configuration Guidelines for Securing Console Port Access
We recommend disabling the console port to prevent unauthorized access to the device.
Securing Console Port
You can use the console port on the device to connect to the device through an RJ-45 serial cable. From the console port, you can use the CLI to configure the device. By default, the console port is enabled. To secure the console port, you can configure the device to take the following actions:
Log out of the console session when you unplug the serial cable connected to the console port.
Disable root login connections to the console. This action prevents a non-root user from performing password recovery operation using the console.
Disable the console port. We recommend disabling the console port to prevent unauthorized access to the device, especially when the device is used as customer premises equipment (CPE) and is forwarding sensitive traffic.
It is not always possible to disable the console port, because console access is important during operations such as software upgrades.
On SRX SRX300, SRX320, SRX340, and SRX345 devices, if both set system ports console insecure and set chassis routing-engine bios uninterrupt options are configured, there is no alternative recovery method available incase Junos OS fails to boot and the device might become unusable.
To secure the console port:
- Do one of the following:
Disable the console port. Enter[edit system ports console]user@host# set disable
Disable root login connections to the console. Enter[edit system ports console]user@host# set insecure
After configuring the console port as insecure, if a user tries to perform password recovery operation by booting in single-user mode, the device will prompt for the root password. This way, the user will be unable to log in to single-user mode for password recovery unless the root password is known.
Log out the console session when the serial cable connected to the console port is unplugged. Enter[edit system ports console]user@host# set log-out-on-disconnect
The log-out-on-disconnect statement is not operational on SRX1500, SRX4100, SRX4200, and SRX4600 devices; on these devices, you must manually log out from the console with the request system logout command.
- If you are done configuring the device, enter commit from configuration mode.
Securing Mini-USB Ports
SRX320, SRX320, SRX340, and SRX345 devices have a mini-USB Type-B port. You can connect your management device to the Mini-USB Type-B console port for CLI management.
You can disable mini-USB ports on the SRX Series devices to block users from connecting a USB mass storage device to the services gateway. When you disable the device, any transactions in progress on the USB device are terminated.
Disable mini-USB ports.
- Use the following command to disable the mini-USB ports.user@host# set chassis usb storage disable
Enable mini-USB ports.
- Use the following command to enable the mini-USB ports.user@host# delete chassis usb storage disable
This step re-enables the disabled mini-USB ports.
Verify the status of the mini-USB.
- Use the following show command to verify the
status.user@host> show chassis usb storage
The output displays the current status of USB mass storage device and whether the USB ports are enabled or disabled.