Login-Block (DoS and Dict-Attack Protection) in Cisco IOS
1. Introduction
Cisco offers a method to protect against DoS (Denial-of-Service) and Dictionary attacks for IOS devices. This feature is described in detail at Chapter: Cisco IOS Login Enhancements-Login Block. If a DoS or Dictionary attack happens, the switch or router is creating an Access Control List called sl_def_acl which blocks during the defined time period the protocols TELNET, HTTP and SSH.
2. Check Login-Block configuration
By default Login-Block is disabled and can be verified with the command show login.
#show login
No login delay has been applied.
No Quiet-Mode access list has been configured.
Router NOT enabled to watch for login Attacks
To test the behavior of the disabled Login-Block, I’m going to attack the switch with a password cracking tool called Hydra. In this case I’m using a simple wordlist with default passwords for a couple of routers. This wordlist contains 51 passwords and therefore Hydra runs all 51 login attacks.
Stefan Thierolfhttps://creativecommons.org/licenses/by-nc-sa/4.0/https://thierolf.org/pages/impressum-imprint/The logging output of the switch shows therefore all connection attempts by SSH and the failed user and password logins.
Stefan Thierolfhttps://creativecommons.org/licenses/by-nc-sa/4.0/https://thierolf.org/pages/impressum-imprint/3. Configure Access Control List with Management IP
Because the Login-Block Access Control List sl_def_acl is dropping during the attack all connection attempts and therefore no administrative access is possible. To avoid this problem, an Access Control List with Management IP addresses must be applied. This Access Control List might look like this and is applied to login quiet-mode:
#conf t
ip access-list extended LOGIN_ACCESS
permit ip host [IP_OF_MGMT_HOST] any
permit ip host [IP_OF_MGMT_HOST] any
permit ip host [IP_OF_MGMT_HOST] any
!
4. Configure Login-Block
The following commands configure the Login-Block for 60 seconds, 5 attempts within 10 seconds. Failed and successful logins should be logged and the Access Control List for the Management IP addresses is applied:
#conf t
! 60 seconds / 5 attempts / 10 seconds
login block-for 60 attempts 5 within 10
login delay 1
login on-failure log
login on-success log
login quiet-mode access-class LOGIN_ACCESS
A show login command shows that Login-Block is now active.
#show login
A login delay of 1 seconds is applied.
Quiet-Mode access list LOGIN_ACCESS is applied.
All successful login is logged.
All failed login is logged.
Router enabled to watch for login Attacks.
If more than 5 login failures occur in 10 seconds or less,
logins will be disabled for 60 seconds.
Router presently in Normal-Mode.
Current Watch Window remaining time 4 seconds.
Present login failure count 0.
5. Testing Login-Block
Again I’m using Hydra for a dictionary attack but this time the attack tool stops with an error:
Stefan Thierolfhttps://creativecommons.org/licenses/by-nc-sa/4.0/https://thierolf.org/pages/impressum-imprint/The logging output of the switch shows now that Login-Block and the Quiet-Mode with the Access Control List with the Management IP is active. Also the failed login attempts stopped after 5 failures (5 attempts defined).
Stefan Thierolfhttps://creativecommons.org/licenses/by-nc-sa/4.0/https://thierolf.org/pages/impressum-imprint/During the attack, the command show login now shows that the device is in Quiet-Mode.
#show login
A login delay of 1 seconds is applied.
Quiet-Mode access list LOGIN_ACCESS is applied.
All successful login is logged.
All failed login is logged.
Router enabled to watch for login Attacks.
If more than 5 login failures occur in 10 seconds or less,
logins will be disabled for 60 seconds.
Router presently in Quiet-Mode.
Will remain in Quiet-Mode for 53 seconds.
Restricted logins filtered by applied ACL LOGIN_ACCESS.
Conclusion: Quick and cheap solution to prevent DoS and Dictionary Attacks on Cisco switches and routers.