Information
After a configured number of failed logins in a set window, offending IP addresses should be blocked from login for a configured amount of time.
Rationale:
This effectively makes brute force attacks much less practical, slowing automated processes from a rate of multiple attempts per second to per minute ranges.
Impact:
Not only does this effectively impede brute force or dictionary login attacks, but logs them as such. In addition, enabling this command limits login attempts to once per second, rather than as fast as the device can process them.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
This configuration consists of:
A 'watch' time window (in seconds)
the number of failed attempts to trigger on
the amount of time (in seconds) to block further login attempts from that IP address
For NX-OS 7.x:
login block-for <block time window> attempts <fail count> within <detect time window>
for instance:
login block-for 120 attempts 5 within 120
For NX-OS 9.x:
system login block-for <block time window> attempts <fail count> within <detect time window>
for instance:
system login block-for 120 attempts 5 within 120
Any values at all will thwart most brute force or dictionary attacks.
Default Value:
By default this feature is not configured