security authentication failurerate number_of_failed_attempts : A global configuration mode command used to specify the maximum number of failed attempts (in the range of 2 to 1024) before introducing a 15-second delay
login block-for 100 attempts 15 within 100 : Block all access after 15 failed login attempts within 100 Secs for the period of 100Secounds (1.40 Minutes).
The Cisco IOS Login Enhancements (Login Block) feature allows users to enhance the security of a router by configuring options to automatically block further login attempts when a possible denial-of-service (DoS) attack is detected.
The login block and login delay options introduced by this feature can be configured for Telnet or SSH virtual connections. By enabling this feature, you can slow down "dictionary attacks" by enforcing a "quiet period" if multiple failed connection attempts are detected, thereby protecting the routing device from a type of denial-of-service attack.
These two commands seem to be redundant. They both introduce a delay or wait time after a specified number of failed login attempts. Why should I use one over the other? Are they meant for different purposes? If they serve identical purposes, why do they both exist? Especially since the login block-for command is much more powerful and customizable.
BTW, the "login delay" command makes ZERO sense to me, especially when considering these other two commands.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...