Login block-for 120 attempts 3 within 60 là gì năm 2024
Warning! Audit DeprecatedInformationAll login parameters are disabled by default. You must issue the login block-for command, which enables default login functionality, before using any other login commands. After the login block-for command is enabled, the following defaults are enforced: A default login delay of one second All login attempts made via Telnet or SSH are denied during the quiet period; that is, no ACLs are exempt from the login period until the login quiet-mode access-class command is issued. Rationale: If the configured number of connection attempts fail within a specified time period, the Cisco device will not accept any additional connections for a 'quiet period.' (Hosts that are permitted by a predefined access-control list [ACL] are excluded from the quiet period.) The number of failed connection attempts that trigger the quiet period can be specified via the new global configuration mode command login block-for . The predefined ACL that is excluded from the quiet period can be specified via the new global configuration mode command login quiet-mode access-class . SolutionTo enable the feature enter the commands Hostname#(config)login block-for {**seconds**} attempts {**tries**} within {**seconds** All login attempts made via Telnet or SSH are denied during the quiet period; that is, no ACLs are exempt from the login period until the login quiet-mode access-class command is issued Hostname#(config)login quiet-mode access class {**acl-name | acl-number**} Hostname#(config)login delay {**seconds**} Default Value: no login-block enabled See Alsohttps://workbench.cisecurity.org/files/3762 The Cisco switch must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must lock out the user account from accessing the device for 15 minutes.
OverviewFinding ID Version Rule ID IA Controls Severity V-220576 CISC-ND-000150 SV-220576r521267_rule Medium Description By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. STIG Date Cisco IOS Switch NDM Security Technical Implementation Guide 2021-04-05 DetailsCheck Text ( C-22291r507774_chk ) Review the Cisco switch configuration to verify that it enforces the limit of three consecutive invalid logon attempts as shown in the example below: login block-for 900 attempts 3 within 120 Note: The configuration example above will block any logon attempt for 15 minutes after three consecutive invalid logon attempts within a two-minute period. If the Cisco switch is not configured to enforce the limit of three consecutive invalid logon attempts, this is a finding. To restrict Telnet/SSH login attempts, use the login block-for command. the format of the login block-for command is as follows login block-for command syntax(config) login block-for |