The Cisco IOS XE router must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-73973 | CISR-ND-000015 | SV-88647r3_rule | Medium |
| Description |
|---|
| By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. |
| STIG | Date |
|---|---|
| Cisco IOS XE Release 3 NDM Security Technical Implementation Guide | 2018-12-20 |
Details
| Check Text ( C-74055r6_chk ) |
|---|
| Review the Cisco router configuration to verify that it enforces the limit of three consecutive invalid logon attempts within a fifteen-minute period as shown in the example below. login block-for 600 attempts 3 within 900 Note: The configuration example above will block any logon attempt for 10 minutes after three consecutive invalid logon attempts. If the Cisco router is not configured to enforce the limit of three consecutive invalid logon attempts within a fifteen-minute period, this is a finding. |
| Fix Text (F-80513r5_fix) |
|---|
| Configure the Cisco router to enforce the limit of three consecutive invalid logon attempts within a fifteen-minute period as shown in the example below. login block-for 600 attempts 3 within 900 |