Securing login on 2851

mitchell.smith · ‎09-15-2008

Hi, I want my 2851 to stop allowing login attempts after 3 failed attempts and to (if possible) send an email to the network administrator about the failed login attempts. Can anyone help with this?

Thanks in advance! Mitchell

Collin Clark · ‎09-16-2008

Mitchell-

1. ip ssh authentication-retries 3

2. This can be done with EEM (Embedded Event Manager). Once the 3rd failure happens, a syslog event is triggered and then you would configure EEM to send the email. Here's a link to it http://www.cisco.com/en/US/products/ps6815/products_ios_protocol_group_home.html

You could also post in Network Management, there is a guy (J.Clarke I believe) that is really good at EEM.

Hope that helps.

mitchell.smith · ‎09-16-2008

Hi Collin,

Thanks for your post, I was not aware of EEM and will spend some time looking through it. I think it will work for the email notification.

About the login retries, my router already resets the interface after 3 failed login attempts, but this does not prevent someone from trying again and again to get in using a compromised user ID. What I would like to do is lock out the user ID after 3 failed attempts. Do you know if this is possible?

Thanks for your help!

Mitchell

Collin Clark · ‎09-16-2008

I think you can do it with aaa authentication attempts login 3. Are you using AAA locally or with a RADISU/TACACs server?

mitchell.smith · ‎09-16-2008

We are using AAA locally. I will try this command on my test router and see what happens. Thanks for the help!