The url that u give is for very old juniper firewall product not for SRX.
Original Message:
Sent: 06-15-2023 10:31
From: Vladlen London
Subject: SSX change SSH port, monitor traffic interface command
If it is not possible to change SSH port, then what this command does?
srx345> show configuration system services
ssh {
port 22022;
}
And here it is stated that it is possible
https://supportportal.juniper.net/s/article/ScreenOS-How-to-change-the-default-management-ports-on-the-Juniper-firewall-SSH-TELNET-HTTP-and-HTTPS?language=en_US
------------------------------
Vladlen London
Original Message:
Sent: 06-10-2023 10:57
From: Anonymous
Subject: SSX change SSH port, monitor traffic interface command
This message was posted by a user wishing to remain anonymous
How to change ssh default port for extra security in srx1500 | SRX (juniper.net)
Original Message:
Sent: 06-09-2023 13:19
From: Vladlen London
Subject: SSX change SSH port, monitor traffic interface command
Hello all!
A have srx345 behind home SOHO router and want to have remote access to it via SSH, and I also want to change the default port to 22022.
But I encountered some problems already in local network with ping, ssh and "monitor traffic interface" command.
SOHO router is directly connected to SRX (port ge-0/0/0 192.168.1.3), to notebook (192.168.1.32) and to the Internet.
I changed default port for SSH:
srx345> show configuration system services
ssh {
root-login deny;
protocol-version v2;
port 22022;
But when I try to connect from notebook to SRX via ssh port 22022, I got disconnect timeout, and when I look at the SRX output of "monitor traffic interface ge-0/0/0 matching "host 192.168.1.32" command I see no packets.
But when I try to connect via default 22 port - I instantly receive reject on putty client, and see some traffic on SRX.
And the thing with pings: when they are not allowed on the untrust zone - I cannot ping the srx and see no traffic on the interface, when pings are allowed - I can ping srx, but still does not see any traffic on the interface.
Here are some outputs, you can see some packets, when ssh to 22 port was rejected, but no ICMP or tcp 22022 traffic, but you can see some ARP resolutions at 22:31:06.852517 - it was attempt to connect via ssh port 22022:test@srx345> ...ce ge-0/0/0 matching "host 192.168.1.32"
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on ge-0/0/0, capture size 96 bytes
Reverse lookup for 192.168.1.1 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.
22:30:30.791306 In arp who-has 192.168.1.1 tell 192.168.1.32
22:30:31.405485 In arp who-has 192.168.1.81 tell 192.168.1.32
22:30:32.020337 In arp who-has 192.168.1.81 tell 192.168.1.32
22:30:32.849393 In arp who-has 192.168.1.81 tell 192.168.1.32
22:30:37.502732 In arp who-has 192.168.1.81 tell 192.168.1.32
22:30:37.989450 In IP 192.168.1.32.65271 > 192.168.1.3.ssh: S 2036772548:2036772548(0) win 64240 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:30:37.989550 Out IP 192.168.1.3.ssh > 192.168.1.32.65271: R 0:0(0) ack 2036772549 win 0
22:30:38.341689 In arp who-has 192.168.1.81 tell 192.168.1.32
22:30:38.506667 In IP 192.168.1.32.65271 > 192.168.1.3.ssh: S 2036772548:2036772548(0) win 64240 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:30:38.506764 Out IP 192.168.1.3.ssh > 192.168.1.32.65271: R 0:0(0) ack 1 win 0
22:30:39.023607 In IP 192.168.1.32.65271 > 192.168.1.3.ssh: S 2036772548:2036772548(0) win 64240 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:30:39.023705 Out IP 192.168.1.3.ssh > 192.168.1.32.65271: R 0:0(0) ack 1 win 0
22:30:39.355865 In arp who-has 192.168.1.81 tell 192.168.1.32
22:30:39.538031 In IP 192.168.1.32.65271 > 192.168.1.3.ssh: S 2036772548:2036772548(0) win 64240 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:30:39.538130 Out IP 192.168.1.3.ssh > 192.168.1.32.65271: R 0:0(0) ack 1 win 0
22:30:40.054284 In IP 192.168.1.32.65271 > 192.168.1.3.ssh: S 2036772548:2036772548(0) win 64240 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:30:40.054385 Out IP 192.168.1.3.ssh > 192.168.1.32.65271: R 0:0(0) ack 1 win 0
22:30:43.035088 In arp who-has 192.168.1.3 (d0:07:ca:e6:17:49) tell 192.168.1.32
22:30:43.035206 Out arp reply 192.168.1.3 is-at d0:07:ca:e6:17:49
22:30:43.625648 In arp who-has 192.168.1.81 tell 192.168.1.32
22:30:44.615509 In arp who-has 192.168.1.81 tell 192.168.1.32
22:30:45.538372 In arp who-has 192.168.1.1 tell 192.168.1.32
22:30:45.538995 In arp who-has 192.168.1.81 tell 192.168.1.32
22:30:49.625507 In arp who-has 192.168.1.81 tell 192.168.1.32
22:30:50.353538 In arp who-has 192.168.1.81 tell 192.168.1.32
22:30:51.345083 In arp who-has 192.168.1.81 tell 192.168.1.32
22:31:06.852517 In arp who-has 192.168.1.3 (d0:07:ca:e6:17:49) tell 192.168.1.32
22:31:06.852638 Out arp reply 192.168.1.3 is-at d0:07:ca:e6:17:49
22:31:18.752914 In arp who-has 192.168.1.1 tell 192.168.1.32
22:31:24.857533 In arp who-has 192.168.1.1 tell 192.168.1.32
22:31:52.508360 In arp who-has 192.168.1.3 (d0:07:ca:e6:17:49) tell 192.168.1.32
22:31:52.508483 Out arp reply 192.168.1.3 is-at d0:07:ca:e6:17:49
22:31:57.971779 In arp who-has 192.168.1.1 tell 192.168.1.32
^C
412 packets received by filter
I don't get why I do not see traffic on SRX for icmp, ssh port 22022, also for telnet 23.. but see for ssh port 22 (no matter if the ssh mgmt port is set to default or not) or to tcp 443, when connect to the SRX via web.
Maybe I use this "monitor traffic interface" somehow wrong?
And why can't I connect to the SRX via ssh port 22022?
If any additional outputs or info is needed, please tell.
------------------------------
Vladlen London
------------------------------