|reply to Network Guy |
Re: Who keeps their router's SSH port open?
Another option is to enable some of the enhanced security features mentioned in this document
Basically these features allow you to deny logins after a certain number of failed logins as well as insert a delay between login attempts.
The quiet-mode can be accomplished with the commands:
login block-for X attempts Y within Z
An access-list can also be created that allows logins from certain network(s) during the quiet-mode time. The configuration for this looks like:
login quiet-mode access-class ACL
The delay is accomplished with the command:
login delay X
I wrote a blog post about this as well if you're looking for a slightly more wordy version
Interesting you post this now. I'm reading a Cisco Press book to get my CCNA Security and I just read past this very same topic explaining that command.
|reply to nschlutter |
Thanks for that as well nschlutter
Cisco refers to the second feature as quiet mode and also includes an option to specify an access-list which is exempted during the block period.
A bit vague, then again some stuff on how Cisco does it is vague... till you put it into practice. I'm not referring to
The second line of configuration will reference the access-list created above to never block the specified networks.
the way you write it up nschlutter , it's just personal experience with the way Cisco writes up the way
their commands (are supposed) to work.
Also, a bit of a personal gripe... why'd it take Cisco till 12.4T to introduce this command...