cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to the Smart Net Total Care Community!

Our community includes Cisco experts to answer your questions about the Smart Net Total Care (SNTC) portal and CSP-Collector.
Click the navigation links below to access materials for using our service and supported collectors.

488
Views
10
Helpful
3
Replies
Highlighted
Enthusiast

CSPC 2.7.4.1; CLI Account Locked

I've been trying to access the CSPC CLI without success, and it appears that our Nessus scanning appliance has locked all CLI accounts.  I can reinstall the appliance, but I would like to know how to transition these accounts so that, 1) the root can only be used locally and not for remote login to prevent it from being locked out, 2) how to create an alternate account that would not be used by Nessus for scanning access, 3) how to prevent a permanent lockout for the admin account (which is what appears to have happened).

 

GUI access is working fine.

 

Trying to work in a world of balancing security awareness and get stuff done.  By that I mean, it's impractical for me to ask the security team to not scan this appliance because it could lock the accounts; these systems need to be monitored.  It also isn't practical for me to redeploy when one of these lockout events occur; major waste of time. [Sorry for the rant!]

Everyone's tags (2)
3 REPLIES 3
Cisco Employee

Re: CSPC 2.7.4.1; CLI Account Locked

Hello,



The CLI accounts will remain locked for only 30 minutes if too many failed authentication attempts have been made. However direct root access via SSH to the CSPC appliances is disabled by default on the images. To remotely access root, you can use the "collectorlogin" CLI account and change users over to root using "su -". Unfortunately there is no way to add new accounts for CLI or change the security settings at this time.



If scanning from Nessus application can be scheduled, you may be able to have it run during a window where CSPC is not being used for up to 30 minutes in case of CLI account lockout.



Thank you,

Jarrett


Enthusiast

Re: CSPC 2.7.4.1; CLI Account Locked

I have tried logging back into the device, with the last known 'admin' password, but I get another message that the account is locked, "Account locked due to XXX failed logins". The Nessus has not attempted to scan the device in over 24 hours. Will the admin account password revert to another password after too many attempts (seems that I have seen mention of something like this in another discussion)?



Also, thank you for clarification of the root account and remote access.


Cisco Employee

Re: CSPC 2.7.4.1; CLI Account Locked

Hello Gregory,



The password for the 'admin' account will not be changed during lockout. However, if after 30 minutes you are still seeing the lockout message, it may indicate that the password being used is no longer correct.



If you have access to collectorlogin and root, you can try to login and set a new password for admin using "passwd admin" command.



Thank you,

Jarrett


CreatePlease to create content
Right-rail
Navigation
Be sure to bookmark these support pages and use them in the future to find all the self-help information.
Helpful Links