June 17, 2010

Cisco IOS Security: Quiet Period Login

Cisco’s IOS Quiet Period refers to the period in which telnet/ssh/http access are disabled for an X amount of time after an Y amount of failed attempt.

While it is quite unusual to have router virtual access allowed from the WAN link, it may not hurt to go further by enabling this cisco feature to prevent a potential DOS dictionary attack from the WAN link or possibly as well from the LAN link.

The command used to enable the “Quiet Period” is “login block-for” in Global Configuration mode.

edge(config)#login block-for 600 attempts 5 within 2

In other words, block virtual login for 10mn (600 seconds) after 5 attempts within 2 seconds

Further Options

While this command should be enough to get us where we want to be, it is important to consider the following

1. Log failed login attempts

edge(config)# login on-failure log

You can view the login logs by issuing “**show login **failures

2. Prevent administrative hosts to be locked out during the Quiet Period

login quiet-mode access-class {acl-name |acl-number}

edge(config)#login quiet-mode access class adminIPs

By defining an access list named adminIPs that possibly contains a range of IPs representing administrative hosts, we can avoid having ourselves be subject to the “Quiet Period” while in action.

I hope that was informative,

Cheers,

Ali