92 Chapter 3: Defending the Perimeter
Limiting the Number of Failed Login Attempts
If an attacker uses a brute-force attack or a dictionary attack when attempting to log in to a
device, such as a router, multiple login attempts typically fail before the correct credentials
are found. To mitigate these types of attacks, a Cisco IOS router can suspend the login
process for 15 seconds, following a specified number of failed login attempts. By default,
a 15-second delay is introduced after ten failed login attempts. However, the security
authentication failure rate number_of_failed_attempts log configuration command
(issued in global configuration mode) can be used to specify the maximum number of failed
attempts (in the range of 2 to 1024) before introducing the 15-second delay.
Example 3-8 illustrates setting the maximum number of attempts to five. Also, notice the
log command, which causes a TOOMANY_AUTHFAILS syslog message to be written to
a syslog server.
Setting a Login Inactivity Timer
After an administrator provides appropriate credentials and successfully logs into a router,
the router could become vulnerable to attack if the administrator walks away. To help
prevent an unattended router from becoming a security weakness, a 10-minute inactivity
timer is enabled by default. However, Cisco recommends that inactivity timers be set to no
more than 3 minutes. Fortunately, administrators can adjust the inactivity windows with the
exec-timeout minutes [seconds] command, issued in line configuration mode. Consider
Example 3-9, which shows setting the inactivity timer for the console, auxiliary, and vty
lines to 2 minutes and 30 seconds.
Example 3-8 Setting the Number of Failed Login Attempts
R1# cc
cc
oo
oo
nn
nn
ff
ff
tt
tt
ee
ee
rr
rr
mm
mm
R1(config)# ss
ss
ee
ee
cc
cc
uu
uu
rr
rr
ii
ii
tt
tt
yy
yy
aa
aa
uu
uu
tt
tt
hh
hh
ee
ee
nn
nn
tt
tt
ii
ii
cc
cc
aa
aa
tt
tt
ii
ii
oo
oo
nn
nn
ff
ff
aa
aa
ii
ii
ll
ll
uu
uu
rr
rr
ee
ee
rr
rr
aa
aa
tt
tt
ee
ee
55
55
ll
ll
oo
oo
gg
gg
R1(config)# ee
ee
nn
nn
dd
dd
Example 3-9 Setting an Inactivity Timer
R1# cc
cc
oo
oo
nn
nn
ff
ff
tt
tt
ee
ee
rr
rr
mm
mm
R1(config)# ll
ll
ii
ii
nn
nn
ee
ee
cc
cc
oo
oo
nn
nn
00
00
R1(config-line)# ee
ee
xx
xx
ee
ee
cc
cc
--
--
tt
tt
ii
ii
mm
mm
ee
ee
oo
oo
uu
uu
tt
tt
22
22
33
33
00
00
R1(config-line)# ee
ee
xx
xx
ii
ii
tt
tt
R1(config)# ll
ll
ii
ii
nn
nn
ee
ee
aa
aa
uu
uu
xx
xx
00
00
R1(config-line)# ee
ee
xx
xx
ee
ee
cc
cc
--
--
tt
tt
ii
ii
mm
mm
ee
ee
oo
oo
uu
uu
tt
tt
22
22
33
33
00
00
R1(config-line)# ee
ee
xx
xx
ii
ii
tt
tt
R1(config)# ll
ll
ii
ii
nn
nn
ee
ee
vv
vv
tt
tt
yy
yy
00
00
44
44
R1(config-line)# ee
ee
xx
xx
ee
ee
cc
cc
--
--
tt
tt
ii
ii
mm
mm
ee
ee
oo
oo
uu
uu
tt
tt
22
22
33
33
00
00
Comments to this Manuals