Manualshelf

System information

ManualsBrandsCisco ManualsComputer equipment857W - Integrated Services Router
21222324252627282930
96 Chapter 3: Defending the Perimeter
Enabling Cisco IOS Login Enhancements for Virtual Connections
Administrators, and therefore attackers, can create virtual connections to an IOS router
using Telnet, SSH, and HTTP. Because an attacker does not need physical access to a router
to attempt one of these “virtual” connections, you should further secure these connection
types using the Cisco IOS Login Enhancements feature. This feature adds the following
requirements to the login process:
Create a delay between repeated login attempts.
Suspend the login process if a denial-of-service (DoS) attack is suspected.
Create syslog messages upon the success and/or failure of a login attempt.
These login enhancements are not enabled by default. To enable the login enhancements
with their default settings, you can issue the login block-for command in global
configuration mode. The default login settings specify the following:
A delay of 1 second occurs between successive login attempts.
No virtual connection (that is, a connection using Telnet, SSH, or HTTP) can be made
during the “quiet period,” which is a period of time in which virtual login attempts are
blocked, following repeated failed login attempts.
You, as an administrator, might want to alter the supported virtual login parameters to better
detect and protect against DoS and/or dictionary attacks. Table 3-9 provides a command
reference for these parameters.
Table 3-8 Cisco IOS Resilient Configuration Steps
Step Description
Step 1: Enable
image resilience
The secure boot-image command, issued in global
configuration mode, secures the Cisco IOS image. The secured
image is hidden so that it does not appear in a directory listing of
files.
Step 2: Secure the
boot configuration
The secure boot-config command, issued in global
configuration mode, archives the running configuration of a
router to persistent storage.
Step 3: Verify the
security of the
bootset
The show secure bootset command can be used to verify that
Cisco IOS Resilient Configuration is enabled and that the files in
the bootset have been secured.