. Similarly, Also, after you execute the no service password-recovery command, a show running configuration command listing will contain the no service password-recovery statement as shown.
Content 5.5 Securing Cisco Router Administrative Access 5.5.6 Setting Login Failure Rates and Conditions Cisco IOS software provides a number of features to secure routers against unauthorized logins by setting login failure rates and conditions. Configure the Number of Allowable Unsuccessful Login Attempts
Starting with Cisco IOS Release 12.3(1), you can configure the number of allowable unsuccessful login attempts by using the security authentication failure rate global configuration command with necessary parameters as shown in Figure . When the number of failed login attempts reaches the configured rate, two events occur: After the 15-second delay has passed, the user can continue to attempt to log in to the router. Set a Login Failure Blocking Period
With this Cisco IOS login enhancement command, available in Cisco IOS Release 12.3(4)T and later, the Cisco IOS router will not accept any additional login connections for a “quiet period” if the configured number of connection attempts fail within a specified time period. Hosts permitted by a predefined ACL are excluded from the quiet period. You can specify the predefined ACL that is excluded from the quiet period by using the global configuration mode command login block-for seconds attempts tries within seconds as shown in Figure . The first command parameter (seconds) specifies the duration of time, or quiet period, during which login attempts are denied. The second parameter (attempts) stands for the maximum number of failed login attempts that triggers the quiet period. The third parameter (within) describes the duration of time, in seconds, during which the allowed number of failed login attempts must be made before the quiet period is triggered. After the login block-for command is enabled, these defaults are enforced: System Logging of Login Requests During Quiet Periods
After a router switches to and from quiet mode, the router generates logging messages. Also, if configured, logging messages are generated upon every successful or failed login request. Logging messages can be generated for successful login requests via the new global configuration command login on-success. The login on-failure command generates logs for failed login requests. After the router switches to quiet-mode, the router generates the logging message shown in Figure . After the router switches from quiet mode back to normal mode, the router generates the logging message also shown in Figure . Excluding Addresses from Login Blocking
With the login quiet-mode access-class command, introduced in Cisco IOS Release 12.3(4)T, the Cisco IOS router uses the configured ACL to permit login attempts when the router switches to quiet mode. If this command is not configured, all connection attempts are denied during the quiet period. The ACL also specifies IP addresses that are excluded from login failure counting using the login quiet-mode access-class {acl-name | acl-number} command as shown in Figure . Setting a Login Delay
A Cisco IOS device can accept login connections (such as Telnet, SSH, and HTTP) as fast as the router processes them. The login delay command introduces a uniform delay between successive login attempts. The delay occurs for all login attempts—either failed or successful attempts. Thus, users can better secure their Cisco IOS device from dictionary attacks, which are an attempt to gain username and password access to your device. The login delay command was introduced in Cisco IOS Release 12.3(4)T. If this command is not enabled, a login delay of one second is automatically enforced after the login block-for command is applied to the router configuration as shown in Figure . Verifying Login
You can verify the login functionality by using the show login command as illustrated in Figure . The sample output from the show login command verifies that the login block-for command is issued. In this example, the command is configured to block login hosts for 100 seconds if 16 or more login requests fail within 100 seconds. Five login requests have already failed. Using the show login failures command will generate an output similar to that shown in Figure listing all failed login attempts on the router.
Content 5.5 Securing Cisco Router Administrative Access 5.5.7 Setting Timeouts By default, an administrative interface stays active (and logged on) for ten minutes after the last session activity. After that time, the interface times out and logs out of the session. Fine-tune these timers to limit the amount of time from two or three minutes maximum. Figure shows the exec timeout command syntax and some examples. Caution
Setting the exec-timeout value to 0 means that there will be no timeout and the session will stay active for an unlimited time. Do not set the value to 0. You can adjust these timers using the exec-timeout command in line configuration mode for each of the line types used. Figure describes the exec-timeout command parameters.
Content 5.5 Securing Cisco Router Administrative Access 5.5.8 Setting Multiple Privilege Levels Cisco routers let you configure various privilege levels for your administrators. Different passwords can be configured to control who has access to the various privilege levels. This ability is especially helpful in a help desk environment where certain administrators are allowed to configure and monitor every part of the router (level 15) while other administrators may be restricted to only monitoring (customized levels 2 to 14). The 16 levels (0 to 15) are defined in the Figure . Privileges are assigned to levels 2 to 14 using the privilege command from global configuration mode. The example shown in the figure assigns the ping command to privilege level 2 and establishes “Patriot” as the secret password that users must enter to use level 2 commands. Using the enable 2 command, you will be prompted for the enable secret password for privilege level 2. The show privilege command is used to display the current privilege level: router>enable 2
Password: Patriot

router#show privilege
Current privilege level is 2 Figure describes the parameters for the privilege command. Use the privilege ? option of the command in the global configuration mode to see a complete list of router configuration modes on your router. The Router Configuration Modes table shown in Figures and contains some of the router configuration modes that can be configured using the privilege command.
Content 5.5 Securing Cisco Router Administrative Access 5.5.9 Configuring Banner Messages Banner messages should be used to warn would-be intruders that they are not welcome on your network. Banners are important, especially from a legal perspective. Intruders have been known to win court cases because they did not encounter appropriate warning messages when accessing router networks. Choosing what to place in your banner messages is extremely important and should be reviewed by legal counsel before placing the messages on your routers. Never use the word