While no security is fool proof, it is important that we do as much as we can to ensure maximum protection on our netowrk devices like Routers and Switches. Cisco IOS has enhanced Login restriction features which can control login attempts to it. This includes time delay between failed login attempts, block period after a set of failed login attempts and audit logs of successful and failed login attempts.
These login restrictions provides more control and make it that more harder for unauthorised accesses and prevent against Dictionary based DoS attacks.
To start of with,
Block Logins after failed attempts
From the Global configuration mode enter the login block-for command to block login attempts to the Cisco Router and Switches for a set period after a preset number of failed login attempts in a specified period of time.
ciscorouter# conf t
ciscorouter(config)# login block-for 300 attempts 3 within 60
Here we block all login attempts (except for the exception ACL list which we will see a few lines down) for 300seconds (5mins) after 3 failed login attempts with 60 seconds (1min). This blocking period is called "Quiet mode"
Set Login Delays
We can enforce a time delay after a failed login attempt. As soon as the "login lock-for" option is set, this automatically kicks in with the default value of 1 second. However, this can manually changed to anything upto 10 seconds.
ciscorouter(config)# login delay 10
Here we set a delay of 10 seconds after a failed login attempt.
Set Quiet Mode Exception ACL
While we enforce a blocking period after successive failed login attempts, we can configure an Exception Access list of hosts or networks. These hosts or networks will be able to login to the router even in the quiet mode.
ciscorouter(config)# login quiet-mode access-class 10
Where 10 is the ACL
Audit Logs on Failed and Successfule login attempts
To enable logging after failed login attempts
ciscorouter(config)# login on-failure log
This logs every time there is a failed login attempt. We can customize the number of failed attempts after which the message is logged.
ciscorouter(config)# login on-failure log 3
The above logs the failed attempts after 3 successive failure.
Similarly, successful logins can be logged as well
ciscorouter(config)# login on-success log
or
ciscorouter(config)# login on-success log 5
To display the Login configuration status
Simply do a
ciscorouter# sh login
A default login delay of 10 seconds is applied.No Quiet-Mode access list has been configured.
All successful login is logged and generate SNMP traps.
All failed login is logged and generate SNMP traps.
Router enabled to watch for login Attacks.
If more than 3 login failures occur in 60 seconds or less, logins will be disabled for 300 seconds.
Router presently in Quiet-Mode, will remain in Quiet-Mode for 93 seconds.
Denying logins from all sources.
To only display failed login attempts
ciscorouter# sh login failure
Information about login failure's with the device
Username Source IPAddr lPort Count TimeStamp
admin1 192.168.1.1 23 1 21:52:49 UTC Sun Mar 9 2008
someone 192.168.1.2 23 1 21:52:52 UTC Sun Mar 9 2008
A good article, but it’s worth mentioning that the “login” command syntax tree isn’t available in a lot of IOS versions, perticularly the older versions on routers and switches. Version IOS 12.3 and up as far as I know are alright.
Hi there,
very useful information. I m using packet tracer 3.2 . i m not able to work those login quiet-mode and login delay commands
can u please guide me how to work those in version 3.2
What about security authentication failure rate command? Please verify correctness of working of this command.