RUGGEDCOM ROX II
CLI User Guide
Chapter 6
Security
Enabling/Disabling Brute Force Attack Protection 127
Parameter Description
Default: 10
This parameter is not supported and any value is ignored by the system.
3. Type commit and press Enter to save the changes, or type revert and press Enter to abort.
Section6.3
Enabling/Disabling Brute Force Attack Protection
RUGGEDCOM ROX II features a Brute Force Attack (BFA) protection mechanism to prevent attacks via the CLI, Web
interface and NETCONF. This mechanism analyzes the behavior of external hosts trying to access the SSH port,
specifically the number of failed logins. After 15 failed login attempts, the IP address of the host will be blocked
for 720 seconds or 12 minutes. The range of 15 failed login attempts exists to take into account various methods
of accessing the device, notably when the same or different ports are used across a series of failed logins.
IMPORTANT!
The BFA protection system is not applicable to SNMP. Follow proper security practices for configuring
SNMP. For example:
• Do not use SNMP over the Internet
• Use a firewall to limit access to SNMP
• Do not use SNMPv1
NOTE
Failed logins must happen within 10 minutes of each other to be considered malicious behavior.
Once the time has expired, the host will be allowed to access the device again. If the malicious behavior continues
from the same IP address (e.g. another 15 failed login attempts), then the IP address will be blocked again, but the
time blocked will increase by a factor of 1.5. This will continue as long as the host repeats the same behavior.
IMPORTANT!
Enabling, disabling or making a configuration change to the firewall will reset – but not disable – the
BFA protection mechanism. Any hosts that were previously blocked will be allowed to log in again. If
multiple hosts are actively attacking at the time, this could result in reduced system performance.
When BFA protection is started, the following Syslog entry is displayed:
Jun 5 09:36:34 ruggedcom firewallmgr[3644]: Enabling Brute Force Attack Protection
When a host fails to login, an entry is logged in auth.log. For example:
Jun 5 10:12:52 ruggedcom confd[3386]: audit user: admin/0 Provided bad password
Jun 5 10:12:52 ruggedcom rmfmgr[3512]: login failed, reason='Bad password', user ipaddr='172.11.150.1'
Jun 5 10:12:52 ruggedcom confd[3386]: audit user: admin/0 Failed to login over ssh: Bad password
Auth.log also details which IP addresses are currently being blocked:
Jun 5 14:43:04 ruggedrouter sshguard[24720]: Blocking 172.59.9.1:4 for >630secs: 60 danger in 5 attacks
over 70 seconds (all: 60d in 1 abuses over 70s).
To Next Page
Loading...
Need help?
General
