Users Guide
234 Using the Local RACADM Command Line Interface
Configuring IP Blocking
IP blocking dynamically determines when excessive login failures occur from
a particular IP address and blocks (or prevents) the address from logging in to
iDRAC6 for a preselected time span.
The IP blocking features include:
• The number of allowed login failures (
cfgRacTuneIpBlkFailcount
)
• The time frame in seconds during which these failures must occur
(
cfgRacTuneIpBlkFailWindow
)
• The amount of time in seconds that the blocked IP address is prevented
from establishing a session after the allowed number of failures is exceeded
(
cfgRacTuneIpBlkPenaltyTime
)
As login failures accumulate from a specific IP address, they are registered by
an internal counter. When the user logs in successfully, the failure history is
cleared and the internal counter is reset.
NOTE: When login attempts are refused from the client IP address, some SSH clients
may display the following message: ssh exchange identification:
Connection closed by remote host.
See "iDRAC6 Enterprise Property Database Group and Object Definitions"
for a complete list of cfgRacTune properties.
"Log In Retry Restriction (IP Blocking) Properties" lists the user-defined
parameters.
Table 13-5. Log In Retry Restriction (IP Blocking) Properties
Property Definition
cfgRacTuneIpBlkEnable Enables the IP blocking feature.
When consecutive failures
(cfgRacTuneIpBlkFailCount) from a single
IP address are encountered within a specific amount
of time (cfgRacTuneIpBlkFailWindow), all further
attempts to establish a session from that address are
rejected for a certain time span
(cfgRacTuneIpBlkPenaltyTime).
cfgRacTuneIpBlkFailCount Sets the number of login failures from an IP address
before the login attempts are rejected.