Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2596
Views
0
Helpful
5
Replies

asa or cat switch login retry lock

Go to solution
ronald.su
Level 1
Level 1

‎10-14-2020 01:17 AM

hello,

  I wanna know if there have any way to prevent a brute login attack. e.g. if a user or IP login 5 times failure, ASA or cat switch will lock the use or IP for 30 minutes.

how to config ?

PS:

on ASA currently, we use: aaa local authentication attempts max-fail 5

this need manual to unlock the user which is not meet our requirement. we wanna the user or IP will auto unlock after a period.

thanks

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Aref Alsouqi
VIP
VIP
In response to ronald.su

‎10-14-2020 11:11 AM

I don't believe there is a way to do similar on the ASA.

View solution in original post

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to ronald.su

‎10-15-2020 04:00 AM

No I don't think you can do that per user basis, however, what you can do in this case as a workaround would be to define an ACL and apply it to the device to exempt the blocking to the IP/subnet defined in it, kinda a backdoor access in addition to the console port. By doing that, during the blocking period, the device will still allow accesses from that IP/subnet defined in the ACL. Here is an example:

 

access-list 150 permit tcp 192.168.0.1 0.0.0.255 any eq 22

login quiet-mode access-class 150

View solution in original post

0 Helpful
5 Replies 5

Go to solution
ronald.su
Level 1
Level 1

‎10-14-2020 01:31 AM

we know the switch  command:
SW3850(config)#login block-for 120 attempts 5 within 120

 

now, just need the ASA command

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to ronald.su

‎10-14-2020 11:11 AM

I don't believe there is a way to do similar on the ASA.

0 Helpful

Go to solution
ronald.su
Level 1
Level 1
In response to Aref Alsouqi

‎10-14-2020 08:09 PM

I tried login block-for 1800 attempts 5 within 300 on my switch

it seemd will locked whole device login, so that will making dos attack. 

if there has a way can only lock the user or IP ?

thanks

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to ronald.su

‎10-15-2020 04:00 AM

No I don't think you can do that per user basis, however, what you can do in this case as a workaround would be to define an ACL and apply it to the device to exempt the blocking to the IP/subnet defined in it, kinda a backdoor access in addition to the console port. By doing that, during the blocking period, the device will still allow accesses from that IP/subnet defined in the ACL. Here is an example:

 

access-list 150 permit tcp 192.168.0.1 0.0.0.255 any eq 22

login quiet-mode access-class 150

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎10-14-2020 02:23 AM

Look at some recomendation for Preventing Network Attacks - , is this works for you ?

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/protect.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents