Since 2005 Cisco IOS has offered several security enhancements to help mitigate the risks of dictionary attacks used against login sessions. Now you are probably wondering why I’m blogging about something more than 7 years after it was released. I rarely see people implement any of these features and I’m hoping to raise the visibility of these simple configurations.
If you’ve ever left SSH open to the internet I’m confident you’ve seen how quickly a dictionary attack will commence. There are two basic ways to combat this issue. The first, and highly recommended, way is to simply block SSH access from the internet. The second option involves slowing down dictionary attacks to the point where usernames and passwords can’t be tested quickly enough to guess a valid combination thereof.
The Cisco IOS login enhancements include two features:
- Introducing a delay between successive login attempts
- Blocking all login attempts once a failure threshold is reached
By introducing even a small delay the time taken for a remote attacker to apply a dictionary attack is greatly increased.
Cisco refers to the second feature as “quiet mode” and also includes an option to specify an access-list which is exempted during the block period.
A quick example should tie all these pieces together. First we will create an access-list that permits specific network(s) from which logins will never be denied.
ip access-list extended SSH_IN remark Local Network permit ip 10.1.0.0 0.0.0.255 any
Next we will configure the login blocking which requires three parameters. These three parameters are the length of time to block for, the number of failed attempts after which to take action and the period of time during which to monitor failed logins. Here’s the completed configuration to block logins for 60 seconds after 3 failed attempts within a 60 second period. The second line of configuration will reference the access-list created above to never block the specified networks.
login block-for 60 attempts 3 within 60 login quiet-mode access-class SSH_IN
Previously I mentioned that a simple delay between login attempts would greatly slow down dictionary attacks. This delay can be accomplished using the following configuration. The delay duration is specified in seconds.
login delay 2