Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1565
Views
5
Helpful
2
Replies

What is the alarm - %LOGIN-3-TOOMANY_AUTHFAILS:

John Lee
Level 1
Level 1

‎01-23-2017 11:05 AM - edited ‎03-05-2019 07:53 AM

Hello;

I currently have a router which is generating a lot of alarms stating the following: 

%LOGIN-3-TOOMANY_AUTHFAILS: Too many Login Authentication failures have occurred in the last one minute on the line 393.

Not sure what line 393 is and slightly worries me that this is a real security issue.

Thanks

John 

1 person had this problem
Labels:
0 Helpful
2 Replies 2

Georg Pauwen
VIP
VIP

‎01-23-2017 02:00 PM

Hello John

without knowing what exactly your router is being used for, try to increase the security authentication failure rate (the default is 10):

R1(config)#security authentication failure rate ?
<2-1024> Authentication failure threshold rate

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni

‎01-24-2017 06:40 AM

this is just a security syntax we have it running on our external routers internet facing to stop brute force attacks , you can also you login enhancements with this and block them for certain periods but allow your specific acl to still go though too7

login block-for 300 attempts 10 within 60
login quiet-mode access-class 166

If an attacker uses a brute-force attack or a dictionary attack when attempting to log in to a device, such as a router, multiple login attempts typically fail before the correct credentials are found. To mitigate these types of attacks, a Cisco IOS router can suspend the login process for 15 seconds, following a specified number of failed login attempts. By default, a 15-second delay is introduced after ten failed login attempts. However, the security authentication failure rate number_of_failed_attempts log configuration command (issued in global configuration mode) can be used to specify the maximum number of failed attempts (in the range of 2 to 1024) before introducing the 15-second delay.

Example 3-8 illustrates setting the maximum number of attempts to five. Also, notice the log command, which causes a TOOMANY_AUTHFAILS syslog message to be written to a syslog server.

Example 3-8. Setting the Number of Failed Login Attempts

R1# conf term
R1(config)# security authentication failure rate 5 log
R1(config)# end
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card