Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

What's the difference between "login block-for X attempts X within X" and "security authentication failure rate X"?

What's the difference between, just for example, "login block-for 100 attempts 15 within 100" and "security authentication failure rate 3"?

Please ignore the numbers, I need to know what the differences are in commands and what they do, what they affect.

Everyone's tags (1)
3 REPLIES
Gold

security authentication

security authentication failure rate number_of_failed_attempts : A global configuration mode command used to specify the maximum number of failed attempts (in the range of 2 to 1024) before introducing a 15-second delay

login block-for 100 attempts 15 within 100 : Block all access after 15 failed login attempts within 100 Secs for the period of 100Secounds (1.40 Minutes).

The Cisco IOS Login Enhancements (Login Block) feature allows users to enhance the security of a router by configuring options to automatically block further login attempts when a possible denial-of-service (DoS) attack is detected.

The login block and login delay options introduced by this feature can be configured for Telnet or SSH virtual connections. By enabling this feature, you can slow down "dictionary attacks" by enforcing a "quiet period" if multiple failed connection attempts are detected, thereby protecting the routing device from a type of denial-of-service attack.

 

New Member

mohanak, thanks for the

mohanak, thanks for the definitions.

These two commands seem to be redundant. They both introduce a delay or wait time after a specified number of failed login attempts. Why should I use one over the other? Are they meant for different purposes? If they serve identical purposes, why do they both exist? Especially since the login block-for command is much more powerful and customizable.

 

BTW, the "login delay" command makes ZERO sense to me, especially when considering these other two commands.

New Member

Bump. Anyone else have an

Bump. Anyone else have an explaination of why I would choose to use one of these commands over the other? They are both global configuration commands.

126
Views
2
Helpful
3
Replies