Problem
You want to prevent hackers from using brute force login attacks on your routers.
Solution
To enable local user account locking, use the following set of commands:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#username kwiley password test123 Router1(config)#aaa new-model Router1(config)#aaa authentication login local_auth local Router1(config)#aaa local authentication attempts max-fail 6 Router1(config)#line vty 0 4 Router1(config-line)#login authentication local_auth Router1(config-line)#end Router1#
|
Discussion
By default, the router will allow an unlimited number of login attempts for routers configured with local authentication. It will drop the login session after three failed attempts, but you can attempt to login again immediately by starting a new session. With this in mind, a hacker can use a brute force attack to determine your passwords.
Beginning with IOS Version 12.3(14)T, Cisco introduced a feature that limits the number of unsuccessful login attempts for routers configured to use local authentication. Once the number of unsuccessful attempts is exceeded, then the user ID is locked until an administrator unlocks it. Once an account is locked the router will silently ignore further attempts to gain access with the locked user ID so there is no distinction between a locked account and a failed attempt.
Once you exceed the configured number of failed login attempts, the router locks your user ID and sends a system log message:
Sep 14 10:41:28.319 EDT: %AAA-5-USER_LOCKED: User kwiley locked out on authentication failure
Here, the router locked out user ID kwiley due to an exceeded number of login attempts. You can view all currently locked user IDs with the following command:
Router1#show aaa local user lockout Local-user Lock time kwiley 10:41:28 EDT Thu Sep 14 2006 Router1#
Once locked out, only an administrator with a higher privilege level then the locked user ID, can unlock you. In the following example we unlock user ID kwiley:
Router1#clear aaa local user lockout username kwiley
You can also unlock all currently locked users by using the keyword all:
Router1#clear aaa local user lockout all
Finally, you can clear the current number of failed login attempts for a user by using the following command:
Router1#clear aaa local user fail-attempts user ijbrown
See Also
Recipe 3.1
Router Configuration and File Management
Router Management
User Access and Privilege Levels
TACACS+
IP Routing
RIP
EIGRP
OSPF
BGP
Frame Relay
Handling Queuing and Congestion
Tunnels and VPNs
Dial Backup
NTP and Time
DLSw
Router Interfaces and Media
Simple Network Management Protocol
Logging
Access-Lists
DHCP
NAT
First Hop Redundancy Protocols
IP Multicast
IP Mobility
IPv6
MPLS
Security
Appendix 1. External Software Packages
Appendix 2. IP Precedence, TOS, and DSCP Classifications
Index