1.2.2 Configure IP Blocking on Failed Logins

Information

After a configured number of failed logins in a set window, offending IP addresses should be blocked from login for a configured amount of time.

Rationale:

This effectively makes brute force attacks much less practical, slowing automated processes from a rate of multiple attempts per second to per minute ranges.

Impact:

Not only does this effectively impede brute force or dictionary login attacks, but logs them as such. In addition, enabling this command limits login attempts to once per second, rather than as fast as the device can process them.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

This configuration consists of:

A 'watch' time window (in seconds)

the number of failed attempts to trigger on

the amount of time (in seconds) to block further login attempts from that IP address

For NX-OS 7.x:
login block-for <block time window> attempts <fail count> within <detect time window>
for instance:
login block-for 120 attempts 5 within 120

For NX-OS 9.x:
system login block-for <block time window> attempts <fail count> within <detect time window>
for instance:
system login block-for 120 attempts 5 within 120

Any values at all will thwart most brute force or dictionary attacks.

Default Value:

By default this feature is not configured

See Also

https://workbench.cisecurity.org/benchmarks/6524