Login Password Retry Lockout

Problem

You want to prevent hackers from using brute force login attacks on your routers.

Solution

To enable local user account locking, use the following set of commands:

Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#username kwiley password test123 Router1(config)#aaa new-model Router1(config)#aaa authentication login local_auth local Router1(config)#aaa local authentication attempts max-fail 6 Router1(config)#line vty 0 4 Router1(config-line)#login authentication local_auth Router1(config-line)#end Router1#

This command can lead to a denial of service situation if a hacker is able to lock out all configured usernames.

 

Discussion

By default, the router will allow an unlimited number of login attempts for routers configured with local authentication. It will drop the login session after three failed attempts, but you can attempt to login again immediately by starting a new session. With this in mind, a hacker can use a brute force attack to determine your passwords.

Beginning with IOS Version 12.3(14)T, Cisco introduced a feature that limits the number of unsuccessful login attempts for routers configured to use local authentication. Once the number of unsuccessful attempts is exceeded, then the user ID is locked until an administrator unlocks it. Once an account is locked the router will silently ignore further attempts to gain access with the locked user ID so there is no distinction between a locked account and a failed attempt.

Once you exceed the configured number of failed login attempts, the router locks your user ID and sends a system log message:

Sep 14 10:41:28.319 EDT: %AAA-5-USER_LOCKED: User kwiley locked out on authentication failure

Here, the router locked out user ID kwiley due to an exceeded number of login attempts. You can view all currently locked user IDs with the following command:

Router1#show aaa local user lockout Local-user Lock time kwiley 10:41:28 EDT Thu Sep 14 2006 Router1#

Once locked out, only an administrator with a higher privilege level then the locked user ID, can unlock you. In the following example we unlock user ID kwiley:

Router1#clear aaa local user lockout username kwiley

You can also unlock all currently locked users by using the keyword all:

Router1#clear aaa local user lockout all

Finally, you can clear the current number of failed login attempts for a user by using the following command:

Router1#clear aaa local user fail-attempts user ijbrown

 

See Also

Recipe 3.1

Related

Категории