Enabling Cisco IOS Login Enhancements

Lets face facts, any feature that helps protect your network devices from brute force login attacks has to be worth implementing. Cisco introduced Login Enhancements with IOS 12.3(4)T, here are a few examples on what you can do with these features.

The follow command will block further login attempts, after 5 failed login attempts within a 10 second period.

SC#config t
SC(config)#login block-for 30 attempts 5 within 10

The above command could be used against you, an attacker could simply trigger the block-for feature, by just hitting the login with invalid credentials, thus creating a DoS attack against the Management Plane, denying you access to your own router. To prevent this, we exempt our workstation from the quiet period.

SC(config)#access-list 10 permit 192.168.2.10
SC(config)#login quiet-mode access-class 10

Changes the minimum period of time that must pass between login attempts from the default of 1 second to 3 seconds (Optional)

SC(config)#login delay 3

Create log messages for failed login attempts. There is also an optional every parameter, which will generate a log message for every X failed login attempts

SC(config)#login on-failure log

This command is the complete opposite of the previous command, it will generate a log message for every successful login. Like the previous command, the every parameter can be used to generate a message for every X successful logins, cutting down on the log messages generated for successful logins.

SC(config)#login on-success log
No comments yet.

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>