Details
A complex password should be used to protect access to Diagnostic Port/s
Rationale:
Due to the sensitivity of the routers Diagnostic Port/s a complex password should be employed to help prevent attackers employing ‘brute force’ or ‘dictionary’ attacks to gain access through these ports.
Passwords are stored, automatically by JUNOS, as a MD5 hash in the configuration under the [edit system diag-port-authentication] hierarchy.
A complex password should be employed which meets or exceeds the following requirements:
Does not contain Dictionary words, names, dates, phone numbers or addresses.
Is at least 8 characters in length (longer is recommended).
Contains at least one each of upper & lower case letters, numbers and special characters.
Avoids more than 4 digits or same case letters in a row.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Configure a password for the diagnostic ports using one of the following commands under the [edit system] hierarchy; To enter a new password in plain text :
[edit system]
[email protected]#set diag-port-authentication plain-text-password
You will be prompted to enter the new password, which JUNOS will then hash with MD5 before placing the command in the candidate configuration. To enter an existing password hash which you have taken from an existing configuration file, type the following :
[edit system]
[email protected]#set diag-port-authentication encrypted-password ‘
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Juniper.