Implementing Login Security Enhancements
I wanted to go through a few commands today to help you lock down your Cisco devices a little tighter. I'm just going to go through them one at a time and discuss them as we go.
Router (config)# login block-for <seconds> attempts <attempts> within <seconds>
What this is used for is to block people from running a brute-force or dictionary attack on your password. Normally, the IOS will allow you an unlimited number of attempts to get in, but with this command you can block all logins for a specified number of seconds. Let's say that you replace the options with (in order) 180, 5, 30. That means that if someone fails to login after 5 attempts in 30 seconds, the router will block all logins for 180 seconds. Keep in mind that if an intruder figures out that you're running this, he can perform a kind of DoS attack on you because he'll just keep trying and without plugging in the next command, not even you will be able to login to your own device!
Router (config)# login quite-mode access-class <acl>
Quiet-mode is what the router goes into when it's blocking logins from the previous command. If you put together an access-list, say "access-list 10 permit 192.168.1.0", then only IP addresses from that access-list will be allowed to login while the router is in quiet-mode. Think of it as your back door in when someone is screwing with you.
Router (config)# login on-failure log <every #>
This will log a syslog message every blank-number of attempts on failures. Set this to every 2 or 3 failures, because even though you're the administrator of the box, you're going to fat-finger a password or just mistype it every now and again. If you have good security, you might want to log every successful login, and you do that with...
Router (config)# login on-success log 1
This will create a syslog message every time someone successfully logs in.
Router (config)# security password min-length <number>
I think this is pretty self explanatory. It's always a good practice to require a minimum length password on your devices.
Router (config-line)# exec-timeout <min> <sec>
You'll notice that this command is issued under a VTY or Console line, and you've probably seen it before. The default for this command is 5 minutes, and I can't stand getting kicked out of a router after only 5 minutes. I may be looking something up in Google or something and next thing you know, I've got to log back in. I normally set this to 15 minutes. You can also do a "no exec-timeout" and that will disable it completely, but you should only do this in a lab environment.
Router (config)# service password-encryption
This will encrypt every clear text password that you have on your router. So if you have a console password or something like that, it'll be encrypted.
Hope these help you button things down!
-Greg
Buy a T-Shirt!
Hey guys, I'm throwing together some T-Shirt designs and I've decided to let my readers have first crack at them. If you notice at the top of this page, I've put up a new page on the site. Check out my T-Shirts! They make a great Christmas present for yourself or a fellow network engineer! I'll be adding shirts regularly, so keep checking until you find something that you like!
-Greg