Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
664
Views
2
Helpful
3
Replies

What's the difference between "login block-for X attempts X within X" and "security authentication failure rate X"?

gravityfive
Level 1
Level 1

‎07-17-2014 02:00 PM - edited ‎03-10-2019 09:52 PM

What's the difference between, just for example, "login block-for 100 attempts 15 within 100" and "security authentication failure rate 3"?

Please ignore the numbers, I need to know what the differences are in commands and what they do, what they affect.

Labels:
0 Helpful
3 Replies 3

mohanak
Cisco Employee
Cisco Employee

‎07-18-2014 02:01 AM

security authentication failure rate number_of_failed_attempts : A global configuration mode command used to specify the maximum number of failed attempts (in the range of 2 to 1024) before introducing a 15-second delay

login block-for 100 attempts 15 within 100 : Block all access after 15 failed login attempts within 100 Secs for the period of 100Secounds (1.40 Minutes).

The Cisco IOS Login Enhancements (Login Block) feature allows users to enhance the security of a router by configuring options to automatically block further login attempts when a possible denial-of-service (DoS) attack is detected.

The login block and login delay options introduced by this feature can be configured for Telnet or SSH virtual connections. By enabling this feature, you can slow down "dictionary attacks" by enforcing a "quiet period" if multiple failed connection attempts are detected, thereby protecting the routing device from a type of denial-of-service attack.

 

gravityfive
Level 1
Level 1
In response to mohanak

‎07-18-2014 06:04 AM

mohanak, thanks for the definitions.

These two commands seem to be redundant. They both introduce a delay or wait time after a specified number of failed login attempts. Why should I use one over the other? Are they meant for different purposes? If they serve identical purposes, why do they both exist? Especially since the login block-for command is much more powerful and customizable.

 

BTW, the "login delay" command makes ZERO sense to me, especially when considering these other two commands.

0 Helpful

gravityfive
Level 1
Level 1

‎07-20-2014 03:33 PM

Bump. Anyone else have an explaination of why I would choose to use one of these commands over the other? They are both global configuration commands.

0 Helpful
Customers Also Viewed These Support Documents