Account lockout policies can be implemented on Cisco equipment to prevent Brute-Force attacks. This tutorial will explain how to use login block-for command to block users if they exceed a certain number of incorrect login attempts. The login block-for command will block all telnet and SSH connections to that router if incorrect credentials are entered for a specified number of times.
login block-for <Time period in seconds> attempts <Max no of failed attempts>within <Time period in seconds>
The command should be entered in Configuration mode. Here is an example
Router1(config)#login block-for 60 attempts 2 within 10
The command above will BLOCK all connections to Router1 for 60 seconds if the credentials are entered INCORRECTLY 2 times WITHIN a span of 10 seconds. If this policy is breached you’ll get the following message on the console terminal
%SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 5 secs, [user: jesin] [Source: 10.0.0.4] [localport: 22] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 17:01:34 UTC Thu Sep 22 2011
This means your router has entered into “quiet mode” during which will will NOT accept any telnet or SSH connections. The command show login failures will display the failed login attempts.
Router1#sh login failures
Total failed logins: 2
Detailed information about last 50 failures
Username SourceIPAddr lPort Count TimeStamp
jesin 10.0.0.4 22 2 17:01:34 UTC Thu Sep 22 2011