Warning! Audit Deprecated

Information

All login parameters are disabled by default. You must issue the login block-for command, which enables default login functionality, before using any other login commands. After the login block-for command is enabled, the following defaults are enforced:

A default login delay of one second

All login attempts made via Telnet or SSH are denied during the quiet period; that is, no ACLs are exempt from the login period until the login quiet-mode access-class command is issued.

Rationale:

If the configured number of connection attempts fail within a specified time period, the Cisco device will not accept any additional connections for a 'quiet period.' (Hosts that are permitted by a predefined access-control list [ACL] are excluded from the quiet period.)

The number of failed connection attempts that trigger the quiet period can be specified via the new global configuration mode command login block-for . The predefined ACL that is excluded from the quiet period can be specified via the new global configuration mode command login quiet-mode access-class .

Solution

To enable the feature enter the commands

Hostname#(config)login block-for {**seconds**} attempts {**tries**} within {**seconds**

All login attempts made via Telnet or SSH are denied during the quiet period; that is, no ACLs are exempt from the login period until the login quiet-mode access-class command is issued

Hostname#(config)login quiet-mode access class {**acl-name | acl-number**} Hostname#(config)login delay {**seconds**}

Default Value:

no login-block enabled

See Also

https://workbench.cisecurity.org/files/3762

The Cisco switch must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must lock out the user account from accessing the device for 15 minutes.

Overview

Finding ID Version Rule ID IA Controls Severity V-220576 CISC-ND-000150 SV-220576r521267_rule Medium Description By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. STIG Date Cisco IOS Switch NDM Security Technical Implementation Guide 2021-04-05

Details

Check Text ( C-22291r507774_chk ) Review the Cisco switch configuration to verify that it enforces the limit of three consecutive invalid logon attempts as shown in the example below:

login block-for 900 attempts 3 within 120

Note: The configuration example above will block any logon attempt for 15 minutes after three consecutive invalid logon attempts within a two-minute period.

If the Cisco switch is not configured to enforce the limit of three consecutive invalid logon attempts, this is a finding.

To restrict Telnet/SSH login attempts, use the login block-for command. the format of the login block-for command is as follows

login block-for command syntax

(config)

login block-for attempts within

: Time to block login (sec) : Number of login attempts : Time to watch for login attempts (sec)

If a login fails times during , it is blocked from logging in for . The state in which login is blocked is called Quiet-Mode. Note that password authentication alone will not work to restrict login attempts.

You can also delay the next prompt display upon failed login attempts with the following command. This can reduce the number of unauthorized login attempts.

Login prompt delay

(config)

login delay

: Prompt Display Delay (sec)

Configuration example of login block-for command

Restrict Telnet/SSH login attempts under the following conditions

• If login fails 3 times in 60 seconds, the user will be prevented from logging in for 120 seconds.
• Delay display of login prompt for 3 seconds.

Configuration example of login block-for command

login block-for 120 attempts 3 within 60 login delay 3

Telnet to router R1 (IP address 10.1.1.251) with the above configuration and login fails 3 times. Then the connection is denied the fourth time.