Leaflet
102
OL-11615-01
Router(config)# security authentication failure rate 3 log
This configuration causes access to the router to be locked for a period of 15 seconds after three
unsuccessful login attempts, disabling the dictionary method of attack. In addition to locking access to
the router, this configuration causes a log message to be generated after three unsuccessful login
attempts, warning the administrator of the unsuccessful login attempts.
For more information about the security authentication failure rate global configuration command,
refer to the following URL:
http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps5187/products_feature
_guide09186a008017d101.html#wp1048684
Interactive Access Control
Cisco Catalyst switches can be managed through a diverse set of mechanisms, from console to remote
access protocols like Telnet and SSH. The best way to protect a switch is to make sure that appropriate
controls are applied on all access mechanisms. Because it is difficult to be certain that all possible modes
of access have been blocked, administrators should make sure that logins on all lines are controlled using
some sort of authentication mechanism, even on machines that are supposed to be inaccessible from
untrusted networks.
The following are the recommended security guidelines to control interactive access:
• Restrict access to allow only the needed protocols.
• Enable authentication on all lines. As mentioned previously, the best way to use passwords and
authentication is by deploying protocols like TACACS+, RADIUS or Kerberos.
• Implement line ACLs to restrict the IP addresses or subnets from which access will be granted.
• Define timeouts to control idle sessions to prevent idle sessions from remaining up indefinitely.
The next sections describe how these best practices can be implemented in Cisco IOS and Catalyst OS.
Interactive Access in Catalyst OS
Because Catalyst switches can be accessed through a variety of remote access protocols, it is
fundamental to restrict access by only allowing connections from the expected protocols. For example,
if the switch is supposed to be accessed with SSH, then there is no reason to leave Telnet enabled. The
set authentication login local command can be used to disable access for the protocols from which
connections will not be expected.
Another good practice is the use of the set ip permit command to restrict the IP addresses from which
the switch will accept connections. By default, after an access protocol is enabled any host can initiate
a connection using that protocol. The set ip permit command defines a list of hosts or networks from
which access will be allowed, which prevents unauthorized access from untrusted sources. This practice
also helps mitigate a denial-of-service attack on the virtual lines.
Decreasing the connection timeout is another useful tactic. This can be done using the set logout
command, which prevents an idle session from staying open indefinitely. By default, a session has a
20-minute timeout. Although the effectiveness of this technique against deliberate attacks is relatively
limited, it also provides some protection against sessions accidentally left idle.
The following configuration illustrates the best practices just described. In this configuration, telnet
access is disabled. Access is only allowed for SSH connections coming from the 172.16.0.0/16 network,
and the idle timeout is set to 3 minutes.