Leaflet
104
OL-11615-01
The following configuration illustrates the best practices just described. In this configuration, access for
VTY 4 is restricted to only SSH connections coming from the IP address 10.0.0.1. The line timeout is
set to 2 minutes and 30 seconds, and tcp keepalives are enabled.
service tcp-keepalives-in
access-list 10 permit host 10.0.0.1
line vty 4
transport input ssh
access-class 10 in
exec-timeout 2 30
Cisco IOS Login Enhancements
Cisco IOS software Release 12.3(4)T introduced Cisco IOS login enhancements, a feature implemented
with several new commands that help protect the router against dictionary and possible DoS attacks.
The login enhancements include the login delay global configuration command, which allows the
introduction of a delay between login attempts. In the event of a dictionary attack, introducing a delay
between login attempts slows down the attack, making it less likely to succeed.
This feature also includes a new global configuration command, login block-for, which allows you to
limit the frequency of failed login attempts. The frequency is limited by defining a maximum number of
failed attempts within a specified time period, after which, the IOS router will not accept any additional
connections for a quiet period. It is possible to define an exception ACL for trusted systems and networks
from which legitimate connections are expected. This exception ACL can be defined using the login
quiet-mode access-class global configuration command.
In addition, the login enhancements provide the login on-success, and the login on-failure commands,
which enabled the generation of syslog messages for successful and failed login attempts, respectively.
The following example shows how to configure a router to enter a 100 second quiet period if 15 failed
login attempts is exceeded within 100 seconds. All login requests will be denied during the quiet period
except hosts from the ACL myacl. Also, logging messages will be generated for every 10th failed login
and every 15th successful login.
Router(config)# login block-for 100 attempts 15 within 100
Router(config)# login quiet-mode access-class myacl
Router(config)# login on-failure log every 10
Router(config)# login on-success log every 15
Router(config)# access-list 10 permit host 10.0.0.1
For more information about Cisco IOS login enhancements, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part30/h_login.htm
Warning Banners
In some jurisdictions, civil and/or criminal prosecution of attackers who break into your systems is made
much easier if you provide a banner informing unauthorized users that their use is in fact unauthorized.
In other jurisdictions, you might be forbidden to monitor the activities of even unauthorized users unless
you have taken steps to notify them of your intent to do so. One way of providing this notification is to
put it into a banner message configured using the Catalyst OS set banner telnet commands, or the Cisco
IOS software banner login global configuration command.