Cisco Router Login Lockdown
This post covers various security features built into Cisco IOS that help prevent unauthorized access to your Cisco router or switch. While these features won't stop a determined attacker with physical access to your device, they will provide some basic protection against network-based attacks and casual snooping.
Login Block Feature
The login block feature allows you to temporarily block login attempts if too many failed attempts are detected within a specified time period. This helps protect against brute force attacks.
To configure login blocking:
Router(config)# login block-for 300 attempts 5 within 60This command blocks all login attempts for 300 seconds (5 minutes) if 5 failed login attempts occur within 60 seconds.
Quiet Mode
When login blocking is active, the router enters "quiet mode" where all login attempts are blocked. You can configure exceptions to allow specific hosts to still access the router during quiet mode:
Router(config)# login quiet-mode access-class ADMIN_HOSTSThis requires creating an access list named ADMIN_HOSTS that defines which IP addresses can bypass the login block.
Login Enhancement (Login Delay)
The login enhancement feature introduces a delay between failed login attempts, making brute force attacks much slower and less effective.
Router(config)# login delay 3This adds a 3-second delay after each failed login attempt. The delay can be configured from 1 to 10 seconds.
Login on Success
This feature displays a message when a successful login occurs, which can help administrators detect unauthorized access attempts.
Router(config)# login on-success logThis logs successful login attempts to the system log.
Login on Failure
Similar to login on success, this feature logs failed login attempts:
Router(config)# login on-failure logYou can also configure it to log only after a certain number of failures:
Router(config)# login on-failure log every 3This logs every 3rd failed login attempt.
Password Security
Beyond login controls, ensure your passwords are secure:
Enable Password vs Enable Secret
Always use enable secret instead of enable password. The enable secret uses MD5 hashing while enable password stores passwords in plaintext or weak encryption.
Router(config)# enable secret MyStrongPassword123!Service Password-Encryption
Enable password encryption to prevent passwords from being displayed in plaintext in the configuration:
Router(config)# service password-encryptionNote that this provides only weak encryption (Type 7) and can be easily reversed. It's mainly to prevent casual viewing of passwords.
Example Complete Configuration
Here's an example combining these security features:
Router(config)# login block-for 300 attempts 3 within 60
Router(config)# login delay 2
Router(config)# login on-success log
Router(config)# login on-failure log every 2
Router(config)# service password-encryption
Router(config)# enable secret Cisco123!
Router(config)# username admin privilege 15 secret AdminPass456!Monitoring Login Security
Use these commands to monitor login security status:
Router# show login
Router# show login failures
Router# show usersThe show login command displays the current login block configuration and whether quiet mode is active. The show login failures command shows recent failed login attempts.
Best Practices
- Use strong passwords with a mix of uppercase, lowercase, numbers, and special characters
- Configure login blocking to prevent brute force attacks
- Enable logging for both successful and failed login attempts
- Use local user accounts with privilege levels rather than shared passwords
- Consider implementing AAA (Authentication, Authorization, and Accounting) for larger networks
- Regularly review logs for suspicious activity
- Keep router software updated to patch security vulnerabilities
These basic security measures will significantly improve your router's resistance to unauthorized access attempts while maintaining ease of administration for legitimate users.