JUNIPER SSG5/SSG20 初始化設定



JUNIPER SSG5/SSG20 初始化設定


關於如何恢復闖廠配置,請自行參考以下之連結:

我們這次利用序號登入console來恢復出廠設定:
login: 016xxxxxxxxxxx18
password: 016xxxxxxxxxxx18
!!! Lost Password Reset !!! You have initiated a command to reset the device to
factory defaults, clearing all current configuration and settings. Would you lik
e to continue?  y/[n] y

!! Reconfirm Lost Password Reset !! If you continue, the entire configuration of
 the device will be erased. In addition, a permanent counter will be incremented
 to signify that this device has been reset. This is your last chance to cancel
this command. If you proceed, the device will return to factory default configur
ation, which is: System IP: 192.168.1.1; username: netscreen, password: netscree
n. Would you like to continue?  y/[n] y
In reset ...
重開機中 ...


開機完成並登入console後,我們可以利用get config all命令來查看設備恢復出廠配置後的設定情形。

我們可以直接修改出廠設定來將Juniper SSG5/ SSG20設備初始化,這樣可以讓我們節省不少的時間。
恢復出廠設定之後,我們只要直接進行下列命令,就可達到利用0/20/30/4端口來上網並進行設定管理的目的。
如果您的WAN介面是DHCP用戶端,請您執行下列命令:
set interface ethernet0/0 dhcp client
set interface ethernet0/0 route
set route 0.0.0.0/0 interface ethernet0/0
save
如果您的WAN介面採用固定IP,則請您執行下列命令:
set interface ethernet0/0 ip 192.168.188.11
set interface ethernet0/0 route
set route 0.0.0.0/0 interface ethernet0/0
save

下列命令是將ethernet0/1綁定在bgroup0介面之下,並將ethernet0/0 WAN介面設定成DHCP用戶端,以順利取得上網IP資訊。
ethernet0/1SSG5/20系列產品預設為DMZ區域專屬介面,而在JUNIPER SRX系列產品則無此設定,若您不需要DMZ介面,我們可以先解除ethernet0/1介面的安全區綁定,再將ethernet0/1綁定在bgroup0介面之下,即可達成除了ethernet0/0WAN介面之外,其他的介面皆是LAN介面的需求。
unset interface ethernet0/1 zone
set interface bgroup0 port ethernet0/1
save



當我們進行到這裡,就已經達到了Juniper SSG5/ SSG20設備快速初始化的目的。
您現在已經可以正常上網,並登入WebUI介面(IP192.168.1.1,帳號與密碼皆為netscreen)來設定管理Juniper SSG5/ SSG20設備,此時WAN端為0/0端口,要接入上網設備如中華電信小烏龜,其他端口(SSG5 0/1~0/7SSG20 0/1~0/4)都為LAN端,提供給您的電腦接入上網用。


以下的部分則為較完整關於安全性方面的設定:
設定時區,取消日光節約,以及啟用網路自動對時(NTP)服務。
set clock dst-off
set clock ntp
set clock timezone 8
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set ntp server "118.163.81.61"
set ntp server backup1 "120.119.31.1"
set ntp server backup2 "129.6.15.28"

為了避免測試時閒置太久,consoleweb自動斷線,然後要您再重key帳號密碼,將console設定成永久連線,WebUI則閒置60後自動斷線,若是已經上線使用的設備,為了安全起見,請勿延長閒置斷線時間,預設為10分鐘。
set console timeout 0   console設定成永久連線
set console timeout 10  設定console idle timeout (minutes)0表示永不斷線。
set admin auth web timeout 60  設定WebUI介面 idle timeout (minutes)0表示永不斷線。
save

如果您的設備型號為SSG20SH-W,具有WIFI的功能,則要另外加入下列之命令,為其做安全性初始化動作:
建立"WIFI" 安全區,並將wireless0/0介面設為不可管理,最後設定策略讓WIFI能夠上網。
由於wifi網路並不安全,任何人都可以監聽您的WIFI網路,並透過適當的工具及設備,就能破解您的WIFI網路之安全設定,進而入侵您的設備,所以我們在一開始就要將無線網路進行安全性初始化動作,就算有人在此時入侵您的無線網路,也只是能上網而已,並無法因此來取得網路設備的管理權限。
set zone id 100 "WIFI"
set interface "wireless0/0" zone "WIFI"
unset interface wireless0/0 ip manageable
set policy id 2 name "WIFI-2-Internet" from "WIFI" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 2
exit
save


設定系統管理者的帳號及密碼,預設為"netscreen",必須更改成其他名稱以及複雜的密碼,以免被人取得管理權限。
set admin name "administrators"
set admin password "netscreen123456"

我們還有以下的安全性初始化設定:
unset interface ethernet0/0 ip manageable  取消從wan介面來管理Juniper SSG5/ SSG20設備的功能,設定wan介面為可管理是非常不安全的行為,就算您因工作需要,有時必須在家中管理設備,也要做好安全設定,例如變更管理介面port number,使用設定複雜的帳號密碼,限定遠端能夠登入的IP或是IP網段,關閉不需要的管理服務,以及從安全的連線來登入,例如SSL(https)
ssh或是VPN連線等。
set interface ethernet0/0 ip manageable  設定wan介面為可管理
set interface ethernet0/0 manage ssl  設定wan介面為啟用SSL(https)服務
set interface ethernet0/0 manage ssh  設定wan介面為啟用SSH服務
unset interface ethernet0/0 manage ping  取消wan介面ping服務
unset interface ethernet0/0 manage telnet  取消wan介面telnet服務
unset interface ethernet0/0 manage snmp  取消wan介面snmp服務
unset interface ethernet0/0 manage web  取消wan介面web(http)服務
unset interface ethernet0/0 manage ident-reset  取消wan介面ident-reset服務



set admin port <number>  變更HTTP網頁管理的port number (1024-32767)
set admin auth web <number>  變更web idle timeout (minutes). Valid range 0 - 1000. (range: 0 - 1000)
set admin http redirect  將沒有加密的HTTP網頁管理重新導向至加密的https(SSL)網頁(port 443)
unset admin http redirect  取消HTTP網頁管理重新導向設定


set ssl enable  啟用HTTPS網頁管理功能
set ssl port 11443  變更HTTPS網頁管理的port number (1024-32767),則您要在網址輸入https://192.168.1.1:11443 才能登入管理網頁
set ssl encrypt rc4 md5    預設值,ssl的加密方式有四種,3des_sha-1安全性最高
set ssl encrypt rc4-40 md5
set ssl encrypt des sha-1
set ssl encrypt 3des sha-1  
unset ssl encrypt         只要unset就會恢復預成設值
若您要使用SSL(HTTPS)網頁管理來管理設定Juniper SSG設備,則您必須將加密方式設定成3des sha-1,否則網頁瀏覽器會告訴您使用的加密方式過於老舊而不讓您連線,但是將加密方式設定成3des sha-1網頁瀏覽器還是會告訴您網站憑證過期了,您只要選擇繼續流覽網站即可登入SSG管理網頁。
因此您在設定 set admin http redirect 命令將HTTP網頁管理重新導向至加密的https(SSL)網頁時,記得要先啟用並設定好ssl的加密方式,這樣才不至於無法登入管理網頁。但是如果考慮到安全性的問題,只要在瀏覽器輸入設備網址就能夠進入登入畫面,這是非常不安全的方式,所以我們並不鼓勵您使用set admin http redirect 命令,甚至要停止http管理的服務,然後再更改httpsport number來提高安全性。
unset interface ethernet0/0 manage web 停止wan端口http管理的服務


set admin access attempts 6  設定user不成功的登入嘗試次數6(防止手賤按錯),預設情況下,裝置最多允許三次不成功的登入嘗試,失敗後並不會鎖死user帳戶,只會關閉連線。
set admin access lock-on-failure 30  登入嘗試失敗後鎖死帳戶30分鐘(防止密碼攻擊破解密碼),可降低密碼攻擊破解的成功率。預設1分鐘,當數值為0時表示永久鎖死帳戶,數值範圍: 0 - 1440
set admin root access console     限制root user只能從console來登入
set admin password restrick length 16     強制系統管理者的密碼長度不得少於16字元

set admin manager-ip 192.168.8.12   限制系統管理者的遠端登入IP
set admin manager-ip 192.168.7.112 255.255.255.0   限制系統管理者的遠端登入IP網段
set admin manager-ip enforce    強制系統管理者只能從上述設定來登入,切記要先設定好manager-ip之後才能設置enforce選項,否則會封鎖所有ip,然後您只能從console來登入管理
unset admin manager-ip enforce    取消設置enforce選項
unset admin manager-ip 192.168.8.12
unset admin manager-ip 192.168.7.112




變更telnet portport 23到其他prot number,以免駭客利用密碼攻擊破解telnet密碼。
set admin telnet port 1123      telnet port number (1024-32767)



變更ssh portport 22到其他prot number,以免駭客利用密碼攻擊破解ssh密碼。
ssh連線內容經過了加密的程序,比起使用telnet來連線更加的安全,故建議停止telnet的服務,改成使用具備ssh連線功能的軟體為上策,例如PuTTY軟體。
set admin ssh port 1122   變更ssh系統管理的port number (1024-32767)
若您要啟動ssh服務,必須執行下列之步驟:
set interface ethernet0/0 manage ssh  設定wan介面為啟用SSH服務
set ssh version v2
set ssh enable
set admin ssh port 1122
接下來我們來示範如何利用putty軟體來連上ssg5設備(IP 192.168.7.1)
下圖為開啟putty後的設定,根據號碼順序並輸入相關數據:

接下來按"(Y)"即可。

接下來就進入了登入畫面,只要輸入正確的帳號密碼,您就可以使用SSH連線來管理JUNIPER SSG設備了。





set admin hw-reset      設置設置按Reset鍵就會恢復出廠預設配置(預設值)
unset admin hw-reset    設置為禁用Reset鍵就會恢復出廠預設配置
set admin device-reset    設置用序號登入帳號及密碼就會恢復出廠預設配置(預設值)
unset admin device-reset  設置為禁用帶有序號的初始化

set admin auth dial-in timeout 3  Modem Dial-In Authentication Timeouttimeout in minutes. Valid range 0 - 3. (range: 0 - 3)

我們可以用 get admin 命令來取得admin設定訊息
ssg5-serial-> get admin
HTTP Port: 80, HTTPS Port: 11443
TELNET Port: 1123, SSH Port: 1122
Manager IP enforced: True
Manager IPs: 1

Address                                  Mask
  Vsys
---------------------------------------- ---------------------------------------
- --------------------
192.168.7.112                            255.255.255.0
  Root
Mail Alert: On, Mail Server: 172.16.7.22
E-Mail Address: charlie-wang@test.com
E-Mail Traffic Log: Off
Configuration Format: DOS
Device Reset: Enabled
Hardware Reset: Enabled
Admin privilege: read-only (Remote admin has read-only privileges)
Max Failed Admin login attempts: 3
Lock admin accounts on auth failure: On, locking time 1 minutes
HTTP redirect: false
ssg5-serial->



set admin auth web timeout 60
set admin auth dial-in timeout 5
set admin access attempts 5
set admin access lock-on-failure 10
set admin port 80
unset admin http redirect
set ssl enable
set ssl port 11443
set admin telnet port 1123
set ssh version v2
set ssh enable
set admin ssh port 1122
set admin hw-reset
set admin device-reset
set key protection enable
上面之設定您可在WebUI介面之Configuration > Admin > Management中來設定




設定轉發syslog,將系統日誌訊息轉發到訊息接收伺服器192.168.1.11訊息接收伺服器必須開放port 514,且運行訊息接收軟體,例如tftpd64
set syslog config "192.168.7.11"
set syslog config "192.168.7.11" facilities local0 local0
set syslog config "192.168.7.11" log traffic
set syslog config "192.168.7.11" transport tcp
set syslog src-interface ethernet0/0
set syslog enable
save
1行:伺服器端 IP 地址為:192.168.7.11,即我們上面配置的 syslog 伺服器 IP 位址。
2行:定義 facilities local 0
3行:啟用 traffic 流量日誌,轉發到 syslog 伺服器。
4行:定義從哪個網路介面(源網路介面)轉發日誌。
注意,如果 syslog 伺服器不在 Juniper NetScreen/SSG Trust 區域,比如 Site-to-Site VPN 環境,必須指定:src-interface 源網路介面,否則會無法傳送日誌!
預設會啟動Event Log,若要取消下此命令unset syslog config "192.168.7.11" log event



set admin mail alert     Enable E-mail Notification for Alarms
set admin mail server-name 172.16.7.22     ## SMTP server name.IP位址必須要在綁定在untrust zone的介面上
set admin mail mail-addr1 charlie-wang@test.com     remote email address
IP位址必須要在綁定在untrust zone的介面上,否則會收不到mail alert訊息,請參考以下連結:
The firewall is designed to use the IP address defined on the untrust interface for email alerts.
Can't get alert from Email.
set admin mail alert
set admin mail server-name "smtp.gmail.com"
set admin mail mail-addr1 "quanzhan.zhang@gmail.com"
set admin mail traffic-log
AnsersGmail/Google Mail uses SSL/TLS. Please try to use another free service which uses regular clear-text SMTP protocol. I doubt the ScreenOS SMTP client supports TLS/SSL.
Those free mail services all require some type of authentication.  Juniper firewalls do not have any method to authenticate SMTP connection. Your best bet may be to setup your own mail server.



關閉/開啟telnet client (screenos6.2之後才有此功能),命令如下:
set telnet client enable     允許您從SSG設備上telnet到其他設備進行設定或維護。(預設值)
unset telnet client enable     關閉telnet client功能
命令使用格式:
telnet <ip-address or hostname> port <port-number>


除了以上的安全性設定之外,我們還可以使用策略policy來對內部用戶連結外網行為進行規範動作。
先將預設開放內網一律通外網的策略停止(disable)
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 1 disable
set policy id 1
exit
再建立一條新的策略,僅開放我們日常工作會用到的服務,例如DNS、上網(httpdhttps)、收發email(imappop3smtp)等,如此既可增加內部網路之安全性,也能規範內部使用者之上網行為,可謂一舉數得。
但是安全性增加的同時,也會造成些許的不方便,例如聊天軟體不能用、不能玩線上遊戲、不能下載免費空間檔案等等。
set policy id 2 name "Users_Firewall" from "Trust" to "Untrust"  "Any" "Any" "DNS" permit
set policy id 2
set service "HTTP"
set service "HTTPS"
set service "IMAP"
set service "POP3"
set service "SMTP"
set service "SYSLOG"
set service "NTP"
set service "PING"
set service "TELNET"
set service "SSH"
set service "FTP"
exit







利用序號登入恢復出廠設定之後,配置檔的內容如下:
unset key protection enable
set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin auth web timeout 10
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
set zone "DMZ" tcp-rst
unset zone "V1-DMZ" tcp-rst
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface adsl1/0 phy operating-mode auto
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "wireless0/0" zone "Trust"
set interface "bgroup0" zone "Trust"
set interface "adsl1/0" pvc 8 35 mux llc protocol bridged qos ubr zone "Untrust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
unset interface vlan1 ip
set interface wireless0/0 ip 192.168.2.1/24
set interface wireless0/0 nat
set interface bgroup0 ip 192.168.1.1/24
set interface bgroup0 nat
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface wireless0/0 ip manageable
set interface bgroup0 ip manageable
unset interface ethernet0/0 manage ping
unset interface ethernet0/0 manage ssh
unset interface ethernet0/0 manage telnet
unset interface ethernet0/0 manage snmp
unset interface ethernet0/0 manage ssl
unset interface ethernet0/0 manage web
unset interface ethernet0/0 manage ident-reset
set interface ethernet0/0 g-arp
set interface ethernet0/1 manage ping
unset interface ethernet0/1 manage ssh
unset interface ethernet0/1 manage telnet
unset interface ethernet0/1 manage snmp
unset interface ethernet0/1 manage ssl
unset interface ethernet0/1 manage web
unset interface ethernet0/1 manage ident-reset
set interface ethernet0/1 g-arp
set interface wireless0/0 manage ping
set interface wireless0/0 manage ssh
set interface wireless0/0 manage telnet
set interface wireless0/0 manage snmp
set interface wireless0/0 manage ssl
set interface wireless0/0 manage web
unset interface wireless0/0 manage ident-reset
set interface wireless0/0 g-arp
set interface bgroup0 manage ping
set interface bgroup0 manage ssh
set interface bgroup0 manage telnet
set interface bgroup0 manage snmp
set interface bgroup0 manage ssl
set interface bgroup0 manage web
unset interface bgroup0 manage ident-reset
set interface bgroup0 g-arp
unset interface adsl1/0 manage ping
unset interface adsl1/0 manage ssh
unset interface adsl1/0 manage telnet
unset interface adsl1/0 manage snmp
unset interface adsl1/0 manage ssl
unset interface adsl1/0 manage web
unset interface adsl1/0 manage ident-reset
set interface adsl1/0 g-arp
set interface vlan1 manage ping
set interface vlan1 manage ssh
set interface vlan1 manage telnet
set interface vlan1 manage snmp
set interface vlan1 manage ssl
set interface vlan1 manage web
unset interface vlan1 manage ident-reset
unset interface vlan1 g-arp
set zone V1-Trust manage ping
set zone V1-Trust manage ssh
set zone V1-Trust manage telnet
set zone V1-Trust manage snmp
set zone V1-Trust manage ssl
set zone V1-Trust manage web
unset zone V1-Trust manage ident-reset
set zone V1-Trust g-arp
unset zone V1-Untrust manage ping
unset zone V1-Untrust manage ssh
unset zone V1-Untrust manage telnet
unset zone V1-Untrust manage snmp
unset zone V1-Untrust manage ssl
unset zone V1-Untrust manage web
unset zone V1-Untrust manage ident-reset
set zone V1-Untrust g-arp
set zone V1-DMZ manage ping
unset zone V1-DMZ manage ssh
unset zone V1-DMZ manage telnet
unset zone V1-DMZ manage snmp
unset zone V1-DMZ manage ssl
unset zone V1-DMZ manage web
unset zone V1-DMZ manage ident-reset
set zone V1-DMZ g-arp
unset zone V1-Null manage ping
unset zone V1-Null manage ssh
unset zone V1-Null manage telnet
unset zone V1-Null manage snmp
unset zone V1-Null manage ssl
unset zone V1-Null manage web
unset zone V1-Null manage ident-reset
set zone V1-Null g-arp
set interface wireless0/0 dhcp server service
set interface bgroup0 dhcp server service
set interface wireless0/0 dhcp server auto
set interface bgroup0 dhcp server auto
set interface wireless0/0 dhcp server option gateway 192.168.2.1
set interface wireless0/0 dhcp server option netmask 255.255.255.0
set interface bgroup0 dhcp server option gateway 192.168.1.1
set interface bgroup0 dhcp server option netmask 255.255.255.0
set interface wireless0/0 dhcp server ip 192.168.2.33 to 192.168.2.126
set interface bgroup0 dhcp server ip 192.168.1.33 to 192.168.1.126
unset interface wireless0/0 dhcp server config next-server-ip
unset interface bgroup0 dhcp server config next-server-ip
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set crypto-policy
exit
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set url protocol websense
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 1
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set wlan 0 channel auto
set wlan 1 channel auto
set wlan change-channel-timer 0
set snmp port listen 161
set snmp port trap 162
set snmpv3 local-engine id "0164111111102418"
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit


這個網誌中的熱門文章

如何測試網路連線--網路斷線了怎麼辦?

筆記電腦刷BIOS失敗無法開機—用CH341A編程器重刷BIOS教學!

查理王的電腦部落格-首頁