Login Password Retry Lockout

Problem

You want to prevent hackers from using brute force login attacks on your routers.

Solution

To enable local user account locking, use the following set of commands:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#username kwiley password test123
Router1(config)#aaa new-model
Router1(config)#aaa authentication login local_auth local
Router1(config)#aaa local authentication attempts max-fail 6
Router1(config)#line vty 0 4
Router1(config-line)#login authentication local_auth
Router1(config-line)#end
Router1#

Warning

This command can lead to a denial of service situation if a hacker is able to lock out all configured usernames.

Discussion

By default, the router will allow an unlimited number of login attempts for routers configured with local authentication. It will drop the login session after three failed attempts, but you can attempt to login again immediately by starting a new session. With this in mind, a hacker can use a brute force attack to determine your passwords.

Beginning with IOS Version 12.3(14)T, Cisco introduced a feature that limits the number of unsuccessful login attempts for routers configured to use local authentication. Once the number of unsuccessful attempts is exceeded, then the user ID is locked until an administrator unlocks it. Once an account is locked the router will silently ignore further attempts to gain access with the locked user ID so there is no distinction between ...

Get Cisco IOS Cookbook, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.