17 December, 2013

Secure VTY Access in CISCO

#Password configuration 8 characters at least
R1(config)#security passwords min-length 8
R1(config)#username root privilege 15 secret cisco
% Password too short - must be at least 8 characters. Password configuration failed
R1(config)#username root privilege 15 secret cisco123

#Block Access 100 Sec if 3 attempts Failed in 60 sec
R1(config)#login block-for 100 attempts 3 within 60
*Mar  1 00:16:19.783: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 47 secs, [user: root] [Source: 10.0.10.25] [localport: 22] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 00:16:19 UTC Fri Mar 2 20013

*Note: In the QUIET MODE nobody can access this Router.

#Configure Access for only One Host When router is in Quiet-Mode.
R1(config)#access-list 1 permit host 10.0.10.254
R1(config)#login quiet-mode access-class 1
*Note: Only 10.0.10.254 will be permited
R1#show login
     A default login delay of 1 seconds is applied.
     Quiet-Mode access list 1 is applied.
     Router enabled to watch for login Attacks.
     If more than 3 login failures occur in 60 seconds or less,
     logins will be disabled for 100 seconds.
     Router presently in Normal-Mode.
     Current Watch Window
         Time remaining: 29 seconds.
         Login failures for current window: 0.
     Total login failures: 6.

R1#show login
     A default login delay of 1 seconds is applied.
     Quiet-Mode access list 1 is applied.
     Router enabled to watch for login Attacks.
     If more than 3 login failures occur in 60 seconds or less,
     logins will be disabled for 100 seconds.
     Router presently in Quiet-Mode.
     Will remain in Quiet-Mode for 77 seconds.
     Restricted logins filtered by applied ACL 1.

R1#show login failures
Total failed logins: 6
Detailed information about last 50 failures
Username        SourceIPAddr    lPort Count TimeStamp
root            10.0.10.25      22    6     00:24:00 UTC Fri Mar 1 2002

#Configure Login Penalty to 10 secs (I must wait 10 sec after fail password)
R1(config)#login delay 10

#Log any time when you fail Login 
R1(config)#login on-failure log
*Mar  1 00:32:09.763: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: cisco] [Source: 10.0.10.25] [localport: 22] [Reason: Login Authentication Failed] at 00:32:09 UTC Fri Mar 2 20013