Question on similar commands.

I'm reviewing my wallace/watkins book, and I'm coming across a few things; whether questions about inconsistencies or whatever, so I'll be spending the next few days bugging this board with questions. Hope you don't mind

I'm on chapter 2, scribbling down notes so I have a '**** sheet' for my labbing, and I can't help but notice the similarity between the 'security authentication failure rate # log' and 'login block-for # attempts # within #' commands.

Obviously the 2nd command is more useful, by nature of having more options to choose, but other than that, is there any major difference between the 2? Situations where 1 is more useful than the other?

Now that I'm thinking though, I suppose they sortof overlap. The 2nd for automated/brute-force attacks where attempts are made rather quickly, while the first (with it's lack of a within seconds option) may be more for when someone is more passively trying to see if they can guess the login perhaps?

EDIT: err, except it still only blocks for 15 seconds, so I retract that. I don't see where the 1st command (security authentication failure) would be more useful than the other command.

Find more posts tagged with

Comments

bermovick

Further investigation seems to suggest the 'security authentication failure' command is either deprecated or non-functional somehow. I tested this by setting it the rate 2, and doing several failed logins with neither logging nor a 15-second delay (yes I added the log flag).

Unfortunately I'm also finding some problems with the login block-for and login delay and login on-failure commands. I've entered all 3 commands. Block-for is 60 seconds for 2 failures within 10 seconds. Delay set to 2, and on-failure logging set to log every 2 attempts. Since I wanted to clarify if the on-failure/success logging (is it every other, or 2 failures in a row?), I spammed a bunch of failed telnet attempts.

talon@Hoopla:~$ date
Wed Oct 20 22:31:44 CDT 2010
talon@Hoopla:~$ telnet 192.168.1.200
Trying 192.168.1.200...
Connected to 192.168.1.200.
Escape character is '^]'.

User Access Verification

Password:
Password:
Password:
% Bad passwords
Connection closed by foreign host.
talon@Hoopla:~$ telnet 192.168.1.200
Trying 192.168.1.200...
Connected to 192.168.1.200.
Escape character is '^]'.

User Access Verification

Password:
Password:
Password:
% Bad passwords
Connection closed by foreign host.
talon@Hoopla:~$ telnet 192.168.1.200
Trying 192.168.1.200...
Connected to 192.168.1.200.
Escape character is '^]'.

User Access Verification

Password:
Password:
Router>quit
Connection closed by foreign host.
talon@Hoopla:~$ date
Wed Oct 20 22:32:18 CDT 2010
talon@Hoopla:~$

You can see in roughly 30 seconds there I had 7 failures and 1 success. Is there something further I need to have enabled for this to work?

(yes, I'm using telnet; it's a lab and a blog entry and I haven't switched to using ssh in it yet)

bermovick

Several searches and I locate a previous, similar thread here:
http://www.techexams.net/forums/ccnp/53464-generating-failed-logins.html

I've verified doing a 'login local' does make these commands start working.

If you don't want to make user accounts for your local database (for whatever reason), I also got things working by turning on AAA and making the default method list use my enable secret pass.

Router(config)#aaa new-model
Router(config)#aaa authentication login ENABLE_AUTH enable
Router(config)#aaa authentication login NO_AUTH none
Router(config)#line con 0
Router(config-line)#login authentication NO_AUTH
Router(config-line)#line vty 0 15
Router(config-line)#login authentication ENABLE_AUTH

Tried telnetting in, and immediately noticed the 2 second delay between attemps, and after 2 failed attempts, I got the logs

*Mar 3 11:36:08.129: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: 192.168.1.3] [localport: 23] [Reason: Login Authentication Failed] at 11:36:08 UTC Sun Mar 3 2002

*Mar 3 11:36:08.133: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 7 secs, [user: ] [Source: 192.168.1.3] [localport: 23] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 11:36:08 UTC Sun Mar 3 2002

*Mar 3 11:36:13.993: %SEC-6-IPACCESSLOGP: list sl_def_acl denied tcp 192.168.1.3(39924) -> 0.0.0.0(23), 1 packet

and

talon@Hoopla:~$ telnet 192.168.1.200
Trying 192.168.1.200...
telnet: Unable to connect to remote host: Connection refused
talon@Hoopla:~$

I thought I'd just post the solution in case anyone else was having similar difficulties.