Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Block vty connection for x period of time after x failed attempts

Hi,

I was wondering whether there was a way to dynamically block a vty session (telnet/ssh etc) for a period of time after x amount of failed login attempts using Cisco IOS?  I don't believe there is, but I wanted a way to provide Internet connectivity to a router but stop DDoS attempts from filling up the available VTY lines and/or bots continually trying to log in.

Thanks,

goulin

3 REPLIES
New Member

Re: Block vty connection for x period of time after x failed att

I did a little testing and do not see a way to do this, sorry

Cisco Employee

Re: Block vty connection for x period of time after x failed att

Here it is:

http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_login_enhance.html

You can even exept certain IPs from being blocked.

A sample:

login block-for 60 attempts 5 within 30

!this will block anyone for 60s when 5 unsuccessful logins occurs within 30s

New Member

Re: Block vty connection for x period of time after x failed att

Hi Bastien,

Thanks for that.  It is pretty close to what I am after... certainly better than leave it open (I can use the ACL to allow only known addresses during a DDoS event).

Regards,

goulin

4833
Views
5
Helpful
3
Replies
CreatePlease to create content