Configure the Login Security Service
Configuration Condition
None
Enable the System Login Security Service
To enhance the system security, the device provides the system login security service function. The functions include:
- Prevents brute force cracking of user login passwords.
- Prevents the fast connection function.
The function of brute force cracking prevention prevents malicious illegal users from forcedly cracking the user name and password for logging in to the device. If the system finds that the number of continuous login authentication failures of a user reaches the number specified by the system, the system rejects the login request from the IP address or the login request from the user within the specified period of time.
The function of preventing fast connections prevents illegal users from initiating a large number of login requests within a short period time because this may occupy a lot of system and network resources. If the number of repeated login connections from a user reached a specified number, the system rejects the login connection requests from the IP address within the specified period of time.
Table 7-8 Enabling the System Login Security Service
Step
|
Command
|
Description
|
Enter the global configuration mode.
|
configure terminal
|
-
|
Enable the system login security service.
|
service login-secure { telnet | ssh | ftp | snmp}
|
Mandatory.
By default, the system login security service is enabled.
|
Configure the Parameters of the System Login Security Service
Table 7-9 Configuring the Parameters of the System Login Security Service
Step
|
Command
|
Description
|
Enter the global configuration mode.
|
configure terminal
|
-
|
Configure the login time of the IP address forbidden by the Telnet module
|
login-secure telnet ip-addr forbid-time forbid-time-number
|
Mandatory
By default, it is 10 minutes.
|
Configure the maximum successive login authentication failure times of the IP address forbidden by the Telnet module
|
login-secure telnet ip-addr max-try-time max-try-time-number
|
Mandatory
By default, it is 5 times.
|
Configure the age time of the information recorded by the IP address forbidden by the Telnet module
|
login-secure telnet ip-addr record-aging-time record-aging-time-number
|
Mandatory
By default, it is 15 minutes.
|