Example 57 Access List Configured on a vty Line

Router(config)#access-list 10 permit

Router(config)#line vty 1 5 Router(config-line)#access-class 10 in

Another useful tactic is to configure vty timeouts using the exec-timeout command. This command prevents an idle session from consuming a vty indefinitely. Although its effectiveness against deliberate attacks is relatively limited, it does provide some protection against sessions accidentally left idle.

Passwords sent over Telnet sessions are in clear text, which makes Telnet an insecure method. SSH is a more secure method of interactive access to the router.

Cisco IOS Software Release 12.3T has new functionalities available to better secure the virtual login connection. The following is a list of these features:

• Delays between login attempts This feature protects the router from username and password dictionary attacks by limiting the number of successive login attempts within a certain period of time. To specify a delay between login attempts, use the login delay seconds command. The seconds variable is an integer between 1 and 10. The default number of seconds between login attempts is 1 second.

• Login shutdown This feature protects the router from denial-of-service (DoS) attacks by preventing continuous login attempts in a specified period of time. Use the login block-for seconds attempts tries within seconds global configuration command to specify the amount of time the router must wait before allowing another login attempt. This wait time is called the quiet period. The seconds variable is an integer between 1 and 65535. The tries variable specifies the maximum number of failed login attempts that trigger the quiet period. During the quiet period, all attempts from all types of login protocols (that is, Telnet, SSH, and Hypertext Transfer Protocol [HTTP]) are denied. You can exclude specific hosts or subnets from the quiet period via the login quiet-mode access-class {acl-name | acl-number} global configuration mode. The acl-name and acl-number parameter specifies a standard, extended, or named access list.

• Login attempt logging messages Successful and failed login attempts might be logged via the login on-failure log [every login] and login on-success log [every login] commands. The login parameter is an integer between 1 and 65535 specifying the number of attempts prior to the generation of logging messages. Future releases of Cisco IOS Software will provide support for Simple Network Management Protocol (SNMP) traps.

Example 5-8 shows a sample router configuration to block all login requests for 120 seconds if the 30 failed login attempts are exceeded within 180 seconds. A delay of 3 seconds is configured between each login attempt. Failed login attempts are logged for every third login attempt.

0 0

Post a comment