- Delays between successive login attempts
- Login shutdown if DoS attacks are suspected
- Generation of system logging messages for login detection
The following commands are available to configure a Cisco IOS device to support the enhanced login features.
Router# configure terminal
Router(config)# login block-for seconds attempts tries within seconds
Router(config)# login quiet-mode access-class {acl-name | acl-number}
Router(config)# login delay seconds
Router(config)# login on-failure log [every login]
Router(config)# login on-success log [every login]
Authentication on vty lines must be configured to use a username and password combination. If the vty lines are configured to use only a password, the enhanced login features are not enabled.
All login enhancement features are disabled by default. Use the login block-for command to enable login enhancements.
The login block-for feature monitors login device activity and operates in two modes:
Normal mode (watch mode) - The router keeps count of the number of failed login attempts within an identified amount of time.
Quiet mode (quiet period) - If the number of failed logins exceeds the configured threshold, all login attempts using Telnet, SSH, and HTTP are denied.
When quiet mode is enabled, all login attempts, including valid administrative access, are not permitted. However, to provide critical hosts access at all times, this behavior can be overridden using an ACL. The ACL must be created and identified using the login quiet-mode access-class command.
By default, Cisco IOS devices can accept connections, such as Telnet, SSH, and HTTP, as quickly as they can be processed. This makes devices susceptible to dictionary attack tools, such as Cain or L0phtCrack, which are capable of thousands of password attempts per second. The login block-for command invokes an automatic delay of 1 second between login attempts. Attackers have to wait 1 second before they can try a different password.
This delay time can be changed using the login delay command. The login delay command introduces a uniform delay between successive login attempts. The delay occurs for all login attempts, including failed or successful attempts.
The login block-for, login quiet-mode access-class, and login delay commands help block failed login attempts for a limited period of time but cannot prevent an attacker from trying again.
The command auto secure enables message logging for failed login attempts. Logging successful login attempts is not enabled by default.
These commands can be used to keep track of the number of successful and failed login attempts.
login on-failure log [every login] generates logs for failed login requests.
login on-success log [every login] generates log messages for successful login requests.
The number of login attempts before a message is generated can be specified using the [every login] parameter. The default value is 1 attempt. The valid range is from 1 to 65,535.
As an alternative, the security authentication failure rate threshold-rate log command generates a log message when the login failure rate is exceeded.
To verify that the login block-for command is configured and which mode the router is currently in, use the show login command. The router is in either normal or quite mode, depending on whether login thresholds were exceeded.
The show login failures command displays more information regarding the failed attempts, such as the IP address from which the failed login attempts originated.
biOos
No comments:
Post a Comment