Setting a Login Failure Rate

This topic describes how to secure administrative access to Cisco routers by setting a login failure rate.

Authentication Failure Rate with Logging

router(config)#

security authentication failure rate threshold-rate log

• This command configures the number of allowable unsuccessful login attempts.

• By default, the router allows 10 login failures before initiating a 15-second delay.

• This command generates a syslog message when the rate is exceeded.

router(config) #

Boston(config)# security authentication failure rate 10 log

©-C— -—I

Starting with Cisco IOS Release 12.3(1), system administrators can configure the number of allowable unsuccessful login attempts using the security authentication failure rate global configuration command, as shown in the slide.

When the number of failed login attempts reaches the configured rate, these two events occur:

■ A TOOMANY_AUTHFAILS event message is sent by the router to the configured syslog server.

■ A 15-second delay timer starts.

Once the 15-second delay has passed, the user may continue to attempt to log in to the router. The syntax for the security authentication failure rate command is as follows:

security authentication failure rate threshold-rate log

Command Element

Description

threshold-rate

This is the number of allowable unsuccessful login attempts. The default is 10 (the range is 2 to 1024).

log

The log keyword is required. This command must result in a generated syslog event.

2-40 Securing Cisco Network Devices (SND) v2.0 © 2006 Cisco Systems, Inc.

Was this article helpful?

0 0

Post a comment