Prevent brute force attack on VTY in Cisco IOS


Cisco starting IOS 12.3 introduced a simple but powerful feature to guard against brute force password guessing attack on remote access. The usual template followed when configuring VTY access is:
1. Configure ACL containing management IPs to be allowed to access the router through VTY 2. (Optional) Restrict VTY access protocol to ssh only (transport input ssh) 3. Apply this ACl to VTY : (config-line)# access-class <ACL> inn 4. (Optional) Single out one VTY line for a special remote access IP to be used if all VTY lines are currently in use: (config)# line vty 4
Now I enhanced this template with the following features: - Blocks login for 300 seconds after 5 failed logins within  50 seconds time interval login block-for 300 attempts 5 within 50
- apply specified ACl to VTY line when above event occurs, it is meant to exempt your managemnt IP form being blocked. After timed block expires this ACL gets removed from VTY and previous ACL that was applied before the event is reapplied back

login quiet-mode access-class anti-DOS

  • Logging rate-limitation to prevent cluttering logs with failed attempts `login on-failure log every 10
  • ACL allowing access:
ip access-list standard anti-DOS
permit 193.193.193.33
 remark Deny VTY access to anyone else if brute-force logins take up all VTY lines
  • Another nice feature is delay between login attempts:
    Sacramento(config)# login delay 2

The delay login above is in seconds.
Then in logs you will see the following failed attempts:

*May  2 02:04:14.105: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: 62.141.52.141] [localport: 22] [Reason: Login Authentication Failed] at 05:04:14  Sat May 2 2009
*May  2 02:04:22.112: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 22 secs, [user: ] [Source: 62.141.52.141] [localport: 22] [Reason: Login Authentication Failed] [ACL: anti-DOS] at 05:04:22  Sat May 2 2009
*May  2 02:09:22.091: %SEC_LOGIN-5-QUIET_MODE_OFF: Quiet Mode is OFF, because block period timed out at 05:09:22  Sat May 2 2009