Fix the IOS quiet mode for the IOS HTTP(S) server
The IOS documentation claims that the quiet mode the router enters after a series of login failures blocks all telnet (or ssh) sessions as well as HTTP requests. Unfortunately the latter is wrong; you can execute any HTTP request on the router during the quiet mode.
If you want to block HTTP requests during the quiet mode, you can use EEM applets to change the HTTP server configuration when the quiet mode is started and completed.
First you need to configure a standard numbered IP access list that will be used to block HTTP requests during the quiet mode (the ip http access-class command accepts only numbered ACLs), for example:
If you want to block HTTP requests during the quiet mode, you can use EEM applets to change the HTTP server configuration when the quiet mode is started and completed.
First you need to configure a standard numbered IP access list that will be used to block HTTP requests during the quiet mode (the ip http access-class command accepts only numbered ACLs), for example:
access-list 95 deny any logThen you define two EEM applets: one that triggers when the router enters the quiet mode (matching the SEC_LOGIN-1-QUIET_MODE_ON syslog message) and another that runs when the quiet mode is finished (triggered with the SEC_LOGIN-5-QUIET_MODE_OFF). Both applets modify the router configuration, changing the access-list used in ip http access-class configuration command.
event manager applet EnterQuietModeA sample logging printout is illustrating the operation of this solution is included below:
event syslog occurs 1 pattern "SEC_LOGIN-1-QUIET_MODE_ON" period 1
action 1.0 cli command "configure terminal"
action 1.1 cli command "ip http access-class 95"
action 2.0 syslog msg "Entered Quiet mode on HTTP server"
!
event manager applet ExitQuietMode
event syslog occurs 1 pattern "SEC_LOGIN-5-QUIET_MODE_OFF" period 1
action 1.0 cli command "configure terminal"
action 1.1 cli command "ip http access-class 70"
action 2.0 syslog msg "Exiting Quiet mode on HTTP server"
%SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 38 secs, [user: a] [Source: 10.0.0.2] [localport: 80] [Reason: Login Authentication Failed - BadPassword] [ACL: sl_def_acl] at 11:35:04 UTC Thu May 3 2007Note: the SYS-5-CONFIG_I messages are generated when the EEM applets modify router configuration.
%HA_EM-6-LOG: EnterQuietMode: Entered Quiet mode on HTTP server
%SYS-5-CONFIG_I: Configured from console by vty0
%SEC-6-IPACCESSLOGNP: list 95 denied 0 0.0.0.0 -> 10.0.0.2, 1 packet
%SEC_LOGIN-5-QUIET_MODE_OFF: Quiet Mode is OFF, because block period timed out at 11:36:34 UTC Thu May 3 2007
%HA_EM-6-LOG: ExitQuietMode: Exiting Quiet mode on HTTP server
%SYS-5-CONFIG_I: Configured from console by vty0