Overview

When logging into a Cisco device via Telnet/SSH, you can restrict login attempts. After a certain number of failed login attempts, the login will be blocked. This prevents unauthorized login by brute force attack.

The following section describes configuration for restricting login attempts for Cisco devices.

Configuration commands for restricting login attempts

To restrict Telnet/SSH login attempts, use the login block-for command. the format of the login block-for command is as follows

login block-for command syntax

(config)#login block-for <block-time-period> attempts <fail-attempts> within <login-attempt-time-period>

<block-time-period> : Time to block login (sec)
<fail-attempts> : Number of login attempts
<login-attempt-time-period> : Time to watch for login attempts (sec)

If a login fails times during , it is blocked from logging in for . The state in which login is blocked is called Quiet-Mode. Note that password authentication alone will not work to restrict login attempts.

You can also delay the next prompt display upon failed login attempts with the following command. This can reduce the number of unauthorized login attempts.

Login prompt delay

(config)#login delay <second>

<second> : Prompt Display Delay (sec)

Configuration example of login block-for command

Restrict Telnet/SSH login attempts under the following conditions

  • If login fails 3 times in 60 seconds, the user will be prevented from logging in for 120 seconds.
  • Delay display of login prompt for 3 seconds.

Configuration example of login block-for command

login block-for 120 attempts 3 within 60
login delay 3

Telnet to router R1 (IP address 10.1.1.251) with the above configuration and login fails 3 times. Then the connection is denied the fourth time.

Verification of login attempt restrictions

R2#telnet 10.1.1.251
Trying 10.1.1.251 ... Open


User Access Verification

Username: admin
Password:
% Login invalid

Username: admin
Password:
% Login invalid

Username: admin
Password:
% Login invalid

[Connection to 10.1.1.251 closed by foreign host]
R2#telnet 10.1.1.251
Trying 10.1.1.251 ...
% Connection refused by remote host

If a login attempt is blocked, the following log message is displayed

Log of blocked login attempts

*Mar  1 00:26:54.891: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 38 secs, [user: admin] [Source: 10.1.1.252] [localport: 23] [Reason: Login Authentication Failed - BadPassword] [ACL: sl_def_acl] at 00:26:54 UTC Fri Mar 1 2002

Also, show login and show login failure will be displayed as follows

show login/show login failure

R1#show login
     A login delay of 3 seconds is applied.
     No Quiet-Mode access list has been configured.

     Router enabled to watch for login Attacks.
     If more than 3 login failures occur in 60 seconds or less,
     logins will be disabled for 120 seconds.

     Router presently in Quiet-Mode.
     Will remain in Quiet-Mode for 75 seconds.
     Denying logins from all sources.

R1#show login failures
Total failed logins: 3
Detailed information about last 50 failures

Username        SourceIPAddr    lPort Count TimeStamp
admin           10.1.1.252      23    3     00:26:54 UTC Fri Mar 1 2002