Cisco IOS Login Enhancements

Since 2005 Cisco IOS has offered several security enhancements to help mitigate the risks of dictionary attacks used against login sessions. Now you are probably wondering why I’m blogging about something more than 7 years after it was released. I rarely see people implement any of these features and I’m hoping to raise the visibility of these simple configurations.

If you’ve ever left SSH open to the internet I’m confident you’ve seen how quickly  a dictionary attack will commence. There are two basic ways to combat this issue. The first, and highly recommended, way is to simply block SSH access from the internet. The second option involves slowing down dictionary attacks to the point where usernames and passwords can’t be tested quickly enough to guess a valid combination thereof.

The Cisco IOS login enhancements include two features:

  1. Introducing a delay between successive login attempts
  2. Blocking all login attempts once a failure threshold is reached

By introducing even a small delay the time taken for a remote attacker to apply a dictionary attack is greatly increased.

Cisco refers to the second feature as “quiet mode” and also includes an option to specify an access-list which is exempted during the block period.

A quick example should tie all these pieces together. First we will create an access-list that permits specific network(s) from which logins will never be denied.

ip access-list extended SSH_IN
 remark Local Network
 permit ip any

Next we will configure the login blocking which requires three parameters. These three parameters are the length of time to block for, the number of failed attempts after which to take action and the period of time during which to monitor failed logins. Here’s the completed configuration to block logins for 60 seconds after 3 failed attempts within a 60 second period. The second line of configuration will reference the access-list created above to never block the specified networks.

login block-for 60 attempts 3 within 60
login quiet-mode access-class SSH_IN

Previously I mentioned that a simple delay between login attempts would greatly slow down dictionary attacks. This delay can be accomplished using the following configuration. The delay duration is specified in seconds.

login delay 2

Cisco Documentation Link

Cisco Unified Communications Manager (CallManager) TFTP File Browsing

The Cisco CallManager TFTP server component provides various configuration files to endpoints (phones, video devices, etc.) as well as things like ring tones, IP phone background images, and phone loads (firmware). There are times when it is convenient to directly access the files that the TFTP server is hosting such as when determining why a phone can’t download a new background or ring tone.

One method of accessing these files from Windows is to use the built in TFTP command line application. Simply open a command prompt and type:

tftp <server IP or hostname> get SEP<MACADDRESS>.cnf.xml

Microsoft documentation on this command is available here. If you are running Windows 7 the TFTP application is not installed by default and you will need to install it using the “Turn Windows Features On or Off” section of the “Programs and Features” Control Panel item.

Most linux/unix (including OS X) distributions include tftp by default which can be invoked from the command line simply by typing:

tftp <server IP or hostname>
tftp>get get SEP<MACADDRESS>.cnf.xml

For more information reference the manual page (man tftp)

The other method of accessing these TFTP is to actually use HTTP which was made available in CallManager 8.x. The 89XX and 99XX series IP phones actually attempt to download files via HTTP and fall back to TFTP only when necessary. You can use this new functionality to your advantage and simply browse to http://<TFTP server IP or hostname>:6970/<File Name>

For example if you wish to download a phone configuration file just put this in the address bar of your browser:

http://<TFTP server IP or hostname>:6970/SEP<MACADDRESS>.cnf.xml

Once downloaded simply open this file with any text or XML capable editor.

Remember that just as in the past if you manually upload a new file to the CallManager TFTP server you need to stop and restart the TFTP service in order to have the new file appear no matter if you are accessing the file via TFTP or HTTP.