. Similarly, Also, after you execute the no
service password-recovery command, a show running
configuration command listing will contain the no
service password-recovery statement as shown.
Content
5.5 Securing Cisco Router Administrative
Access 5.5.6 Setting Login Failure Rates and
Conditions Cisco IOS software provides a number of features
to secure routers against unauthorized logins by setting login
failure rates and conditions. Configure the Number of
Allowable Unsuccessful Login Attempts
Starting with
Cisco IOS Release 12.3(1), you can configure the number of
allowable unsuccessful login attempts by using the security
authentication failure rate global configuration command
with necessary parameters as shown in Figure . When the number
of failed login attempts reaches the configured rate, two
events occur: - A TOOMANY_AUTHFAILS event
message is sent by the router to the configured syslog
server.
- A 15-second delay timer starts.
After the 15-second delay has passed, the user can continue to
attempt to log in to the router. Set a Login Failure
Blocking Period
With this Cisco IOS login enhancement
command, available in Cisco IOS Release 12.3(4)T and later, the
Cisco IOS router will not accept any additional login
connections for a “quiet period” if the configured number of
connection attempts fail within a specified time period. Hosts
permitted by a predefined ACL are excluded from the quiet
period. You can specify the predefined ACL that is excluded
from the quiet period by using the global configuration mode
command login block-for seconds attempts
tries within seconds as shown in Figure . The
first command parameter (seconds) specifies the duration
of time, or quiet period, during which login attempts are
denied. The second parameter (attempts) stands for the
maximum number of failed login attempts that triggers the quiet
period. The third parameter (within) describes the
duration of time, in seconds, during which the allowed number
of failed login attempts must be made before the quiet period
is triggered. After the login block-for command is
enabled, these defaults are enforced: - A default login
delay of one second.
- All login attempts made via
Telnet, SSH, and HTTP are denied during the quiet period; that
is, no ACLs are exempt from the login period until the login
quiet-mode access-class command is issued.
System Logging of Login Requests During Quiet Periods
After a router switches to and from quiet mode, the router
generates logging messages. Also, if configured, logging
messages are generated upon every successful or failed login
request. Logging messages can be generated for successful login
requests via the new global configuration command login
on-success. The login on-failure command generates
logs for failed login requests. After the router switches to
quiet-mode, the router generates the logging message shown in
Figure . After the router switches from quiet mode back to
normal mode, the router generates the logging message also
shown in Figure . Excluding Addresses from Login
Blocking
With the login quiet-mode access-class
command, introduced in Cisco IOS Release 12.3(4)T, the Cisco
IOS router uses the configured ACL to permit login attempts
when the router switches to quiet mode. If this command is not
configured, all connection attempts are denied during the quiet
period. The ACL also specifies IP addresses that are excluded
from login failure counting using the login quiet-mode
access-class {acl-name | acl-number} command
as shown in Figure . Setting a Login Delay
A Cisco
IOS device can accept login connections (such as Telnet, SSH,
and HTTP) as fast as the router processes them. The login
delay command introduces a uniform delay between successive
login attempts. The delay occurs for all login attempts—either
failed or successful attempts. Thus, users can better secure
their Cisco IOS device from dictionary attacks, which are an
attempt to gain username and password access to your device.
The login delay command was introduced in Cisco IOS
Release 12.3(4)T. If this command is not enabled, a login delay
of one second is automatically enforced after the login
block-for command is applied to the router configuration as
shown in Figure . Verifying Login
You can verify the
login functionality by using the show login command as
illustrated in Figure . The sample output from the show
login command verifies that the login block-for
command is issued. In this example, the command is configured
to block login hosts for 100 seconds if 16 or more login
requests fail within 100 seconds. Five login requests have
already failed. Using the show login failures command
will generate an output similar to that shown in Figure listing
all failed login attempts on the router.
Content
5.5 Securing Cisco Router
Administrative Access 5.5.7 Setting
Timeouts By default, an administrative interface stays
active (and logged on) for ten minutes after the last session
activity. After that time, the interface times out and logs out
of the session. Fine-tune these timers to limit the amount of
time from two or three minutes maximum. Figure shows the
exec timeout command syntax and some examples.
Caution
Setting the exec-timeout value to 0 means
that there will be no timeout and the session will stay active
for an unlimited time. Do not set the value to 0. You can
adjust these timers using the exec-timeout command in
line configuration mode for each of the line types used. Figure
describes the exec-timeout command parameters.
Content 5.5 Securing Cisco Router
Administrative Access 5.5.8 Setting Multiple
Privilege Levels Cisco routers let you configure various
privilege levels for your administrators. Different passwords
can be configured to control who has access to the various
privilege levels. This ability is especially helpful in a help
desk environment where certain administrators are allowed to
configure and monitor every part of the router (level 15) while
other administrators may be restricted to only monitoring
(customized levels 2 to 14). The 16 levels (0 to 15) are
defined in the Figure . Privileges are assigned to levels 2 to
14 using the privilege command from global configuration
mode. The example shown in the figure assigns the ping
command to privilege level 2 and establishes “Patriot” as the
secret password that users must enter to use level 2 commands.
Using the enable 2 command, you will be prompted for the
enable secret password for privilege level 2. The show
privilege command is used to display the current privilege
level: router>enable 2
Password: Patriot
router#show privilege
Current privilege level
is 2 Figure describes the parameters for the privilege
command. Use the privilege ? option of the command in
the global configuration mode to see a complete list of router
configuration modes on your router. The Router Configuration
Modes table shown in Figures and contains some of the router
configuration modes that can be configured using the
privilege command.
Content
5.5 Securing Cisco Router
Administrative Access 5.5.9 Configuring Banner
Messages Banner messages should be used to warn would-be
intruders that they are not welcome on your network. Banners
are important, especially from a legal perspective. Intruders
have been known to win court cases because they did not
encounter appropriate warning messages when accessing router
networks. Choosing what to place in your banner messages is
extremely important and should be reviewed by legal counsel
before placing the messages on your routers. Never use the word