Cisco IOS Login Enhancements

Cisco has in IOS release 12.3(4)T (integrated into 12.4) finally introduced features (long available in Unix and Windows) that slow down dictionary attacks on a router. On top of logging of login failures, you can also slow down the login process by delaying the router response after a login failure with the login delay seconds command.

On top of that, the you can configure the router to enter quiet mode after several login failures have been detected in specified timeframe with the login block-for seconds attempts tries within seconds configuration command.The quite mode is implemented by applying an access-list to the VTY lines. You can specify the access-list yourself with the login quiet-mode access-class { acl-name-or-number } command, otherwise the router generates an access-list named sl_def_acl ...

Extended IP access list sl_def_acl
10 deny tcp any any eq telnet log
20 deny tcp any any eq www log
30 deny tcp any any eq 22 log
40 permit tcp any any eq 22 log
and applies it with the access-class in command to the VTY lines.

Warning: If you save router configuration during the quiet period, the access-class command will be saved to NVRAM.

The router also logs the entering and exiting of the quiet mode with log messages similar to the ones below:
1d03h: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: 192.168.0.6] [localport: 23] [Reason: Login Authentication Failed] at 19:20:17 UTC Sat Dec 2 2006
1d03h: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 43 secs, [user: ] [Source: 192.168.0.6] [localport: 23] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 19:20:17 UTC Sat Dec 2 2006
1d04h: %SEC_LOGIN-5-QUIET_MODE_OFF: Quiet Mode is OFF, because block period timed out at 19:21:17 UTC Sat Dec 2 2006

8 comments:

  1. I was wondering can we disable access list logging?

    ReplyDelete
  2. Sure you can ... just write your own access-list (similar to sl_def_acl) and use it for quiet mode blocking with the login quiet-mode access-class.

    ReplyDelete
  3. I just wanted to note that the quiet-mode access-class overrides your VTY access-class for the duration of quiet-mode. So, if you have a ACL applied to the VTY already and the router goes into quiet-mode, the quiet-mode access-class is used in place of your VTY ACL. When quiet-mode is over, your VTY ACL is re-applied.

    ReplyDelete
  4. Ivan,
    If I only want to start with login on-failure log and login on-success log, do I need to have access list on vty interface ? I configured it and i have logoiing set to info and i still don't see it

    ReplyDelete
  5. @Eugene: you don't need the ACL on a VTY line (it's only needed in quiet mode or if you want to enhance the router's security).

    Check your logging configuration (I usually use logging buffered to simplify things) and if you really don't get the messages, open a case with Cisco TAC.

    ReplyDelete
  6. Ivan,
    I do have the logging buffered and i do have logging to syslog . Neither worked. I will open a case with TAC

    ReplyDelete
  7. The sl_def_acl acl is generated anyway.
    With the login quiet-mode access-class command, introduced in Cisco IOS Release 12.3(4)T, the Cisco IOS router uses the configured ACL to permit login attempts when the router switches to quiet mode. If this command is not configured, all connection attempts are denied during the quiet period.

    The ACL also specifies IP addresses that are excluded from login failure counting using the login quiet-mode access-class {acl-name | acl-number} command

    ReplyDelete
  8. Bojan Alikavazović04 March, 2010 23:21

    I must mention that I worked on pen tests on Cisco routers with the help of Back Track. I noticed something very important, when you type the command login delay 10 (10 is the largest value in the Cisco IOS) and run dictionary attack, which has 30 parallel sessions at a time, every 10 seconds will be tested 30 combinations (it is possible to set a higher number of sessions in one attempt on attacking software). Login delay 10 command (typed alone on router) will not significantly slow the persistent attackers.

    Therefore, it is better to use a command such as login block-for 10 attempts 3 within 10. After I entered only this command on the Cisco router and started an identical attack, after the 3rd attempt router has stopped all sessions from the PC.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.