cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
38805
Views
5
Helpful
4
Replies

Block vty connection for x period of time after x failed attempts

goulin
Level 1
Level 1

Hi,

I was wondering whether there was a way to dynamically block a vty session (telnet/ssh etc) for a period of time after x amount of failed login attempts using Cisco IOS?  I don't believe there is, but I wanted a way to provide Internet connectivity to a router but stop DDoS attempts from filling up the available VTY lines and/or bots continually trying to log in.

Thanks,

goulin

1 Accepted Solution

Accepted Solutions

Bastien Migette
Cisco Employee
Cisco Employee

Here it is:

http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_login_enhance.html

You can even exept certain IPs from being blocked.

A sample:

login block-for 60 attempts 5 within 30

!this will block anyone for 60s when 5 unsuccessful logins occurs within 30s

View solution in original post

4 Replies 4

Calvin Ryver
Level 1
Level 1

I did a little testing and do not see a way to do this, sorry

Bastien Migette
Cisco Employee
Cisco Employee

Here it is:

http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_login_enhance.html

You can even exept certain IPs from being blocked.

A sample:

login block-for 60 attempts 5 within 30

!this will block anyone for 60s when 5 unsuccessful logins occurs within 30s

Hi Bastien,

Thanks for that.  It is pretty close to what I am after... certainly better than leave it open (I can use the ACL to allow only known addresses during a DDoS event).

Regards,

goulin

bl3ssedc0de
Level 1
Level 1

A routing device can be configured to react to repeated unsuccessful logon attempts by rejecting an additional connection request (logon lock). This block can be configured for a period of time, called 'period of silence'. Legitimate connection attempts can still be allowed during a period of silence by configuring an access list (ACL) with addresses that you know are associated with system administrators.

Configuration of the login parameters
- block login attempts for second attempts in seconds
- login in silent mode access class {acl-name | acl-number}
- seconds of delay of login

 

Example:

Parameters that help provide DoS detection

Router(config)#login block for 100 attempts 2 within 100
Router(config)#login quiet-mode access-class myacl
Router(config)#login delay 10

(Optional) Set a delay between successive logon attempts.

For more details:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/xe-16/sec-usr-cfg-xe-16-book/ sec-login-enh.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: