Cisco offers many additional ways to secure our routers further by hardening passwords and creating methods to prevent brute force attacks. In this post, which is more a show and tell, we will look at additional commands that you may want to implement on your devices to secure them further. The live demo at the end of this post, demonstrates the commands on a live Cisco router and the configuration used in the demo is explained below.
AOIP.ORG# conf t
Enter global configuration mode
AOIP.ORG(config)# security passwords min-length 10
Defines a minimum password length for all passwords on the device.
AOIP.ORG(config)# enable password aoip
% Password too short – must be at least 10 characters. Password configuration failed
When I tried to create a password under 10 characters in length, I received an error.
AOIP.ORG(config)# security authentication failure rate 10 log
This command will allow 10 login failures before implementing a 15 second delay (default), it will also send a syslog message to a pre-configured syslog server
AOIP.ORG(config)# login block-for 100 attempts 2 within 100
This enforces a quiet period where login attempts will not be accepted for 100 seconds, if 2 failed attempts occur within 100 seconds<
AOIP.ORG(config)# login quiet-mode access-class 1
To prevent certain key administrators from been locked out of the router due to the previous command, we can include them in an access-list for exclusion from the quiet-mode period.
AOIP.ORG(config)# login on-success log
Use this command if you wish to log all SUCCESSFULL login attempts to a syslog server for historical and audit purposes.
AOIP.ORG(config)# login on-failure log
Use this command if you wish to log all UNSUCCESSFULL login attempts to a syslog server for historical and audit purposes. An example can be seen in the live demo below.
AOIP.ORG(config)# login delay 10
This configures a delay between successive login attempts on the device which help mitigate dictionary and brute force attacks. An example can be seen in the live demo below.