IOS Login Tweaks

From NippAero

Cisco has in IOS release 12.3(4)T (integrated into 12.4) finally introduced features (long available in Unix and Windows) that slow down dictionary attacks on a router. On top of logging of login failures, you can also slow down the login process by delaying the router response after a login failure with the login delay seconds command.

On top of that, the you can configure the router to enter quiet mode after several login failures have been detected in specified timeframe with the login block-for seconds attempts tries within seconds configuration command.

The quite mode is implemented by applying an access-list to the VTY lines. You can specify the access-list yourself with the login quiet-mode access-class { acl-name-or-number } command, otherwise the router generates an access-list named sl_def_acl ...

    Extended IP access list sl_def_acl
    10 deny tcp any any eq telnet log
    20 deny tcp any any eq www log
    30 deny tcp any any eq 22 log
    40 permit tcp any any eq 22 log

and applies it with the access-class in command to the VTY lines.

The router also logs the entering and exiting of the quiet mode with log messages similar to the ones below:

    1d03h: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: 192.168.0.6] [localport: 23] [Reason: Login Authentication Failed] at 19:20:17 UTC Sat Dec 2 2006
    1d03h: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 43 secs, [user: ] [Source: 192.168.0.6] [localport: 23] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 19:20:17 UTC Sat Dec 2 2006
    1d04h: %SEC_LOGIN-5-QUIET_MODE_OFF: Quiet Mode is OFF, because block period timed out at 19:21:17 UTC Sat Dec 2 2006