Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : Cisco IOS : Login Password Retry Lockout

Login Password Retry Lockout

Jul 21,2008 by admin

small font medium font large font
image

Login Password Retry Lockout

Problem

You want to prevent hackers from using brute force login attacks on your routers.

Solution

To enable local user account locking, use the following set of commands:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#username kwiley password test123
Router1(config)#aaa new-model
Router1(config)#aaa authentication login local_auth local
Router1(config)#aaa local authentication attempts max-fail 6
Router1(config)#line vty 0 4
Router1(config-line)#login authentication local_auth
Router1(config-line)#end
Router1#

This command can lead to a denial of service situation if a hacker is able to lock out all configured usernames.

Discussion

By default, the router will allow an unlimited number of login attempts for routers configured with local authentication. It will drop the login session after three failed attempts, but you can attempt to login again immediately by starting a new session. With this in mind, a hacker can use a brute force attack to determine your passwords.

Beginning with IOS Version 12.3(14)T, Cisco introduced a feature that limits the number of unsuccessful login attempts for routers configured to use local authentication. Once the number of unsuccessful attempts is exceeded, then the user ID is locked until an administrator unlocks it. Once an account is locked the router will silently ignore further attempts to gain access with the locked user ID so there is no distinction between a locked account and a failed attempt.

Once you exceed the configured number of failed login attempts, the router locks your user ID and sends a system log message:

Sep 14 10:41:28.319 EDT: ŠA-5-USER_LOCKED: User kwiley locked out on authentication failure

Here, the router locked out user ID kwiley due to an exceeded number of login attempts. You can view all currently locked user IDs with the following command:

Router1#show aaa local user lockout 

       Local-user                  Lock time

       kwiley                      10:41:28 EDT Thu Sep 14 2006
Router1#

Once locked out, only an administrator with a higher privilege level then the locked user ID, can unlock you. In the following example we unlock user ID kwiley:

Router1#clear aaa local user lockout username kwiley

You can also unlock all currently locked users by using the keyword all:

Router1#clear aaa local user lockout all

Finally, you can clear the current number of failed login attempts for a user by using the following command:

Router1#clear aaa local user fail-attempts user ijbrown


285 times read

Related news
» Locking Configuration Access
by admin posted on Jul 21,2008
» Authenticating Login IDs from a Central System
by admin posted on Jul 21,2008
» Disabling TACACS+ Authentication on a Particular Line
by admin posted on Jul 21,2008
» Local User Database
by alperen posted on Feb 06,2010
» Losing Access to the TACACS+ Server
by admin posted on Jul 21,2008
Did you enjoy this article?
1 2 3 4 5
(total 0 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

admin

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.