Details
All login parameters are disabled by default. You must issue the login block-for command, which enables default login functionality, before using any other login commands. After the login block-for command is enabled, the following defaults are enforced:
A default login delay of one second
All login attempts made via Telnet or SSH are denied during the quiet period; that is, no ACLs are exempt from the login period until the login quiet-mode access-class command is issued.
Rationale:
If the configured number of connection attempts fail within a specified time period, the Cisco device will not accept any additional connections for a ‘quiet period.’ (Hosts that are permitted by a predefined access-control list [ACL] are excluded from the quiet period.)
The number of failed connection attempts that trigger the quiet period can be specified via the new global configuration mode command login block-for . The predefined ACL that is excluded from the quiet period can be specified via the new global configuration mode command login quiet-mode access-class .
Solution
To enable the feature enter the commands
Hostname#(config)login block-for {**seconds**} attempts {**tries**} within {**seconds**
All login attempts made via Telnet or SSH are denied during the quiet period; that is, no ACLs are exempt from the login period until the login quiet-mode access-class command is issued
Hostname#(config)login quiet-mode access class {**acl-name | acl-number**}
Hostname#(config)login delay {**seconds**}
Default Value:
no login-block enabled
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Cisco.