|Finding ID||Version||Rule ID||IA Controls||Severity|
|By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.|
|Cisco IOS XE Router NDM Security Technical Implementation Guide||2019-07-25|
|Check Text ( C-95039r1_chk )|
| Review the Cisco router configuration to verify that it enforces the limit of three consecutive invalid logon attempts as shown in the example below. |
login block-for 900 attempts 3 within 120
Note: The configuration example above will block any login attempt for 15 minutes after three consecutive invalid logon attempts within a two-minute period.
If the Cisco router is not configured to enforce the limit of three consecutive invalid logon attempts, this is a finding.
|Fix Text (F-101883r1_fix)|
| Configure the Cisco router to enforce the limit of three consecutive invalid logon attempts as shown in the example below. |
R2(config)#login block-for 900 attempts 3 within 120