1.6.1 Configure Login Block - login quiet-mode

Information

All login parameters are disabled by default. You must issue the login block-for command, which enables default login functionality, before using any other login commands. After the login block-for command is enabled, the following defaults are enforced:

A default login delay of one second

All login attempts made via Telnet or SSH are denied during the quiet period; that is, no ACLs are exempt from the login period until the login quiet-mode access-class command is issued.

Rationale:

If the configured number of connection attempts fail within a specified time period, the Cisco device will not accept any additional connections for a 'quiet period.' (Hosts that are permitted by a predefined access-control list [ACL] are excluded from the quiet period.)

The number of failed connection attempts that trigger the quiet period can be specified via the new global configuration mode command login block-for . The predefined ACL that is excluded from the quiet period can be specified via the new global configuration mode command login quiet-mode access-class .

Solution

To enable the feature enter the commands

Hostname#(config)login block-for {**seconds**} attempts {**tries**} within {**seconds**

All login attempts made via Telnet or SSH are denied during the quiet period; that is, no ACLs are exempt from the login period until the login quiet-mode access-class command is issued

Hostname#(config)login quiet-mode access class {**acl-name | acl-number**}
Hostname#(config)login delay {**seconds**}

Default Value:

no login-block enabled

See Also

https://workbench.cisecurity.org/files/3762

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5

Plugin: Cisco

Control ID: 44fb9d6c161c155b208bd0be14d666c9f54c8338764cfbbd9ed6e7915a242464