05-15-2008 11:06 AM - edited 03-10-2019 04:06 AM
I work on a system that requires management interfaces to logout a user if inactive for a period of time (10 minutes).
Is there any way to configure this for the 4215/4240 IDM &/or CLI interfaces?
05-21-2008 11:55 AM
Use the ftp-timeout command in the service host submode to change the number of seconds that the FTP client waits before timing out when the sensor is communicating with an FTP server. The default is 300 seconds.
refer the following url for more info:
http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliTasks.html#wpmkr1088220
05-21-2008 12:59 PM
The ftp-timeout option only applies to a sensor connecting to an ftp server for an upgrade.
There is no timeout option to shutdown a cli session (through telnet, ssh, or console) that has been sitting idle.
06-02-2008 09:23 AM
Thanks. This would be a nice feature to have for all access methods (telnet, ftp, ssh, IDM, IME, etc...)
06-02-2008 11:04 AM
If its really important, and there is firewall between the management subnet and the IPS sensor, you could use the firewall to disconnect the management traffic destined to the IPS after 'x' amount of time.
Regards
Farrukh
06-02-2008 11:14 AM
It would be nice, and is often required in any shop that has any defined security policy to have:
ssh/https session idle time out
RADIUS/TACACS AAA authentication
Account lockout after X bad passwords
06-02-2008 11:35 AM
I totally agree, all these features are a must to apply a consistent security policy across all network elements (specially considering the IDS/IPS is a security device)
Regards
Farrukh
06-02-2008 11:48 AM
A bug was entered against IDM in 5.0 and never acted upon for this very thing.
Thanks
Bob
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: