SSH and Login Block For

skwira001skwira001 Member Posts: 94 ■■■□□□□□□□
I am taking the CCNA Security course through the Cisco Networking Academy. I am doing the chapter 2 lab. The lab had me set the login block-for command. Then it went into setting up SSH. I am now getting to the point where it is having me set the ip SSH authentication retries. My thinking was that I already did that with the login block-for command. I tested this out, and sure enough after I setup SSH, it gave me 3 tries to login to the router through SSH. The login block-for command is setup to only give you 2 tries. The lab had me test this through Telnet.

What I'm wondering is, if the authentication retires for SSH takes precedence over the login block-for command, what's the point of even setting it if we don't use Telnet on our routers?

Comments

  • instant000instant000 Member Posts: 1,745
    skwira001 wrote: »
    I am taking the CCNA Security course through the Cisco Networking Academy. I am doing the chapter 2 lab. The lab had me set the login block-for command. Then it went into setting up SSH. I am now getting to the point where it is having me set the ip SSH authentication retries. My thinking was that I already did that with the login block-for command. I tested this out, and sure enough after I setup SSH, it gave me 3 tries to login to the router through SSH. The login block-for command is setup to only give you 2 tries. The lab had me test this through Telnet.

    What I'm wondering is, if the authentication retires for SSH takes precedence over the login block-for command, what's the point of even setting it if we don't use Telnet on our routers?

    Please paste your config here, and I'll look over it.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • lrblrb Member Posts: 526
    Could be wrong but doesn't the login commands work for ssh, telnet, and HTTP/s? And you would be suprised at how many people still use telnet for remote IP access *sigh*

    The block-for feature is only one of the IOS login enhancements remember. The on-failure log and on-success log commands are also part of that, and we use them on every router at work as part of our standard router hardening. Just because there is some overlap between block-for and the authentication-retries command doesn't mean all the other commands introduced aren't helpful :)
  • mamonomamono Member Posts: 776 ■■□□□□□□□□
    lrb wrote: »
    Could be wrong but doesn't the login commands work for ssh, telnet, and HTTP/s? And you would be suprised at how many people still use telnet for remote IP access *sigh*

    Yes, it is quite depressing that there are companies that still do this even though their network appears to be relatively secure with all data transmission encrypted within their corporate network infrastructure, but configuration and access of remote devices over that infrastructure is still via telnet. As the book teaches, one of the worst enemies to a corporate network is those from within.

    lrb wrote: »
    The block-for feature is only one of the IOS login enhancements remember. The on-failure log and on-success log commands are also part of that, and we use them on every router at work as part of our standard router hardening. Just because there is some overlap between block-for and the authentication-retries command doesn't mean all the other commands introduced aren't helpful :)

    Very true, the more you know, then the more prepared you can be. These can be very useful if something slips through change management and someone makes a change they were not supposed to. Though, checking every individual devices' logs can be tedious. Using syslogs or a log aggregation server would be more advisable to get those alerts.
Sign In or Register to comment.