Cisco IOS Login Enhancements
Cisco has in IOS release 12.3(4)T (integrated into 12.4) finally introduced features (long available in Unix and Windows) that slow down dictionary attacks on a router. On top of logging of login failures, you can also slow down the login process by delaying the router response after a login failure with the login delay seconds command.
On top of that, the you can configure the router to enter quiet mode after several login failures have been detected in specified timeframe with the login block-for seconds attempts tries within seconds configuration command. The quite mode is implemented by applying an access-list to the VTY lines. You can specify the access-list yourself with the login quiet-mode access-class { acl-name-or-number } command, otherwise the router generates an access-list named sl_def_acl ...
Warning: If you save router configuration during the quiet period, the access-class command will be saved to NVRAM.
The router also logs the entering and exiting of the quiet mode with log messages similar to the ones below:
On top of that, the you can configure the router to enter quiet mode after several login failures have been detected in specified timeframe with the login block-for seconds attempts tries within seconds configuration command. The quite mode is implemented by applying an access-list to the VTY lines. You can specify the access-list yourself with the login quiet-mode access-class { acl-name-or-number } command, otherwise the router generates an access-list named sl_def_acl ...
Extended IP access list sl_def_acland applies it with the access-class in command to the VTY lines.
10 deny tcp any any eq telnet log
20 deny tcp any any eq www log
30 deny tcp any any eq 22 log
40 permit tcp any any eq 22 log
Warning: If you save router configuration during the quiet period, the access-class command will be saved to NVRAM.
The router also logs the entering and exiting of the quiet mode with log messages similar to the ones below:
1d03h: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: 192.168.0.6] [localport: 23] [Reason: Login Authentication Failed] at 19:20:17 UTC Sat Dec 2 2006
1d03h: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 43 secs, [user: ] [Source: 192.168.0.6] [localport: 23] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 19:20:17 UTC Sat Dec 2 2006
1d04h: %SEC_LOGIN-5-QUIET_MODE_OFF: Quiet Mode is OFF, because block period timed out at 19:21:17 UTC Sat Dec 2 2006
If I only want to start with login on-failure log and login on-success log, do I need to have access list on vty interface ? I configured it and i have logoiing set to info and i still don't see it
Check your logging configuration (I usually use logging buffered to simplify things) and if you really don't get the messages, open a case with Cisco TAC.
I do have the logging buffered and i do have logging to syslog . Neither worked. I will open a case with TAC
With the login quiet-mode access-class command, introduced in Cisco IOS Release 12.3(4)T, the Cisco IOS router uses the configured ACL to permit login attempts when the router switches to quiet mode. If this command is not configured, all connection attempts are denied during the quiet period.
The ACL also specifies IP addresses that are excluded from login failure counting using the login quiet-mode access-class {acl-name | acl-number} command
Therefore, it is better to use a command such as login block-for 10 attempts 3 within 10. After I entered only this command on the Cisco router and started an identical attack, after the 3rd attempt router has stopped all sessions from the PC.