Table of Contents
Overview
When logging into a Cisco device via Telnet/SSH, you can restrict login attempts. After a certain number of failed login attempts, the login will be blocked. This prevents unauthorized login by brute force attack.
The following section describes configuration for restricting login attempts for Cisco devices.
Configuration commands for restricting login attempts
To restrict Telnet/SSH login attempts, use the login block-for command. the format of the login block-for command is as follows
login block-for command syntax
(config)#login block-for <block-time-period> attempts <fail-attempts> within <login-attempt-time-period>
<block-time-period> : Time to block login (sec)
<fail-attempts> : Number of login attempts
<login-attempt-time-period> : Time to watch for login attempts (sec)
If a login fails times during , it is blocked from logging in for . The state in which login is blocked is called Quiet-Mode. Note that password authentication alone will not work to restrict login attempts.
You can also delay the next prompt display upon failed login attempts with the following command. This can reduce the number of unauthorized login attempts.
Login prompt delay
(config)#login delay <second>
<second> : Prompt Display Delay (sec)
Configuration example of login block-for command
Restrict Telnet/SSH login attempts under the following conditions
- If login fails 3 times in 60 seconds, the user will be prevented from logging in for 120 seconds.
- Delay display of login prompt for 3 seconds.
Configuration example of login block-for command
login block-for 120 attempts 3 within 60 login delay 3
Telnet to router R1 (IP address 10.1.1.251) with the above configuration and login fails 3 times. Then the connection is denied the fourth time.
Verification of login attempt restrictions
R2#telnet 10.1.1.251 Trying 10.1.1.251 ... Open User Access Verification Username: admin Password: % Login invalid Username: admin Password: % Login invalid Username: admin Password: % Login invalid [Connection to 10.1.1.251 closed by foreign host] R2#telnet 10.1.1.251 Trying 10.1.1.251 ... % Connection refused by remote host
If a login attempt is blocked, the following log message is displayed
Log of blocked login attempts
*Mar 1 00:26:54.891: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 38 secs, [user: admin] [Source: 10.1.1.252] [localport: 23] [Reason: Login Authentication Failed - BadPassword] [ACL: sl_def_acl] at 00:26:54 UTC Fri Mar 1 2002
Also, show login and show login failure will be displayed as follows
show login/show login failure
R1#show login
A login delay of 3 seconds is applied.
No Quiet-Mode access list has been configured.
Router enabled to watch for login Attacks.
If more than 3 login failures occur in 60 seconds or less,
logins will be disabled for 120 seconds.
Router presently in Quiet-Mode.
Will remain in Quiet-Mode for 75 seconds.
Denying logins from all sources.
R1#show login failures
Total failed logins: 3
Detailed information about last 50 failures
Username SourceIPAddr lPort Count TimeStamp
admin 10.1.1.252 23 3 00:26:54 UTC Fri Mar 1 2002
Cisco Basic
- Preparing for Cisco devices configuration
- Configuration files for Cisco devices
- The configuration steps for Cisco devices
- Basic knowledge of the Cisco CLI: Command types and modes
- Cisco device’s interface
- CLI help and completion
- The main error messages in CLI
- Cisco Deleting a configuration command
- default interface command -Initialize the interface settings-
- Entering commands in batches
- do command – Execute EXEC command from configuration mode –
- interface range command -Batch configuration of multiple interfaces-
- Filtering the display of the show command – displaying only the information you want to see –
- Cisco IOS Name Resolution Configuration
- terminal length command : configuration of the number of lines displayed in the command output
- debug command to verify real-time operation
- Automatically enter privileged EXEC mode upon CLI login
- Configure System Clock
- Saving and managing configuration files
- Version Management of Configuration Files ~archive command
- IOS File System Operations
- Managing Cisco Catalyst Switches :What it means to set an IP address on a switch.
- Remote management by VTY access (Telnet/SSH)
- terminal monitor command to display the log of Telnet/SSH login destination
- Multi-step Telnet Session Suspensions
- Set the minimum number of characters in the password [Cisco]
- Restrict login attempts : login block-for command
- Cisco Initial Configuration Example
- CDP – What are the connected devices? –
- Password recovery for Cisco routers
- Password Recovery for Catalyst Switches
