dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
22
nschlutter
join:2003-02-07
Lakeville, MN

1 recommendation

nschlutter to tired_runner

Member

to tired_runner

Re: Who keeps their router's SSH port open?

Another option is to enable some of the enhanced security features mentioned in this document

Basically these features allow you to deny logins after a certain number of failed logins as well as insert a delay between login attempts.

The quiet-mode can be accomplished with the commands:

login block-for X attempts Y within Z

An access-list can also be created that allows logins from certain network(s) during the quiet-mode time. The configuration for this looks like:

login quiet-mode access-class ACL

The delay is accomplished with the command:

login delay X

I wrote a blog post about this as well if you're looking for a slightly more wordy version
tired_runner
Premium Member
join:2000-08-25
CT

tired_runner

Premium Member

Interesting you post this now. I'm reading a Cisco Press book to get my CCNA Security and I just read past this very same topic explaining that command.

Cool stuff
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to nschlutter

MVM

to nschlutter
Thanks for that as well nschlutter See Profile

Cisco refers to the second feature as “quiet mode” and also includes an option to specify an access-list which is exempted during the block period.

The second line of configuration will reference the access-list created above to never block the specified networks.

A bit vague, then again some stuff on how Cisco does it is vague... till you put it into practice. I'm not referring to
the way you write it up nschlutter See Profile, it's just personal experience with the way Cisco writes up the way
their commands (are supposed) to work.

Also, a bit of a personal gripe... why'd it take Cisco till 12.4T to introduce this command...

Regards