ISCWSecuritySND

Cisco Router Login Lockdown

Posted Jay

Cisco offers many additional ways to secure our routers further by hardening passwords and creating methods to prevent brute force attacks. In this post, which is more a show and tell, we will look at additional commands that you may want to implement on your devices to secure them further. The live demo at the end of this post, demonstrates the commands on a live Cisco router and the configuration used in the demo is explained below.

 

AOIP.ORG# conf t

Enter global configuration mode

AOIP.ORG(config)# security passwords min-length 10

Defines a minimum password length for all passwords on the device.

AOIP.ORG(config)# enable password aoip
% Password too short – must be at least 10 characters. Password configuration failed

When I tried to create a password under 10 characters in length, I received an error.

AOIP.ORG(config)# security authentication failure rate 10 log

This command will allow 10 login failures before implementing a 15 second delay (default), it will also send a syslog message to a pre-configured syslog server

AOIP.ORG(config)# login block-for 100 attempts 2 within 100

This enforces a quiet period where login attempts will not be accepted for 100 seconds, if 2 failed attempts occur within 100 seconds<

AOIP.ORG(config)# login quiet-mode access-class 1

To prevent certain key administrators from been locked out of the router due to the previous command, we can include them in an access-list for exclusion from the quiet-mode period.

AOIP.ORG(config)# login on-success log

Use this command if you wish to log all SUCCESSFULL login attempts to a syslog server for historical and audit purposes.

AOIP.ORG(config)# login on-failure log

Use this command if you wish to log all UNSUCCESSFULL login attempts to a syslog server for historical and audit purposes. An example can be seen in the live demo below.

AOIP.ORG(config)# login delay 10

This configures a delay between successive login attempts on the device which help mitigate dictionary and brute force attacks. An example can be seen in the live demo below.

AOIP.ORG(config)# exit


AOIP.ORG# exit

 

 

 

Related posts:

‘Login local’ on a Cisco Router Default ThumbnailSetting the enable password and secret on a Cisco device Configuring Syslog on Cisco Routers Default ThumbnailConfiguring VTY Access Decrypting Type 7 Passwords (enable password)

Leave a Reply

Your email address will not be published. Required fields are marked *