Brute force protection function for the router password
The router's protection against password brute force works for the device's external interfaces on HTTP (TCP/80), Telnet (TCP/23) and HTTPS (TCP/443), SSHv2, FTP protocols and on the Internet cloud side of the KeenDNS service.
This protection is enabled in the router by default. If someone enters incorrect login credentials 5 times within 3 minutes, his IP address will be blocked for 15 minutes.
This looks as follows:
The intruder accesses the web interface of the router.
He enters an incorrect login and password. Once the protection is triggered, the router's web interface stops responding to requests from the IP address from which the access was attempted.
The system log of the router shows the following entries:
Oct 26 14:30:39 ndm Core::Scgi::Auth: authentication failed for user admin. Oct 26 14:30:43 ndm Core::Scgi::Auth: authentication failed for user test. Oct 26 14:30:47 ndm Core::Scgi::Auth: authentication failed for user user1. Oct 26 14:30:51 ndm Core::Scgi::Auth: authentication failed for user admin. Oct 26 14:30:52 ndm Netfilter::Util::Conntrack: flushed 7 IPv4 connections for 109.252.x.x. Oct 26 14:30:52 ndm Netfilter::Util::BfdManager: "Http": ban remote host 109.252.x.x for 15 minutes. Oct 26 14:45:52 ndm Netfilter::Util::BfdManager: "Http": unban remote host 109.252.x.x.
This function can be controlled via the command-line interface (CLI) of the router. The syntax of the commands is the following:
ip http lockout-policy {threshold} [{duration} [{observation-window}}]] ip telnet lockout-policy {threshold} [{duration} [{observation-window}}]] ip ssh lockout-policy {threshold} [{duration} [{observation-window}]] vpn-server lockout-policy {threshold} [{duration} [{observation-window}]]where:
threshold— number of attempts to enter the incorrect password, possible values from4 to 20 attempts(by default5);duration— time in minutes for which the attacker's IP address is blocked, possible values from1 to 60 minutes(by default15 minutes);observation-window— period of time in minutes during which incorrect attempts must occur, after which the counter is reset, possible values from1 to 10 minutes(by default3 minutes).For models supporting USB storage devices, there is also a command for protection against brute force attacks on the built-in FTP server:
ip ftp lockout-policy {threshold} [{duration} [{observation-window}]]In KeeneticOS, logging of failed login attempts to the system via HTTP is disabled by default. You can turn it on with a special command. The system log will then record failed attempts to connect to the router's HTTP web interface. In the command line interface (CLI) of the router, run the commands:
ip http log auth system configuration save
Here is an example of system log messages about web connection attempts (our example shows the first message about an unsuccessful connection attempt, and the second message shows information about a successful connection to the web):
Oct 18 10:42:43 ndm Core::Scgi::Auth: authentication failed for user "admin" from "172.16.18.33". Oct 18 10:43:11 ndm Core::Scgi::Auth: opened session "OIZROUQRLNJEMZTZ" for user "admin" from "172.16.18.33".
Nota
Starting from KeeneticOS
3.7.1, the password brute force feature operates via the KeenDNS service in the Cloud access mode.To set the parameters for tracking intrusion attempts by brute-force SSH and FTP server passwords for public interfaces (enabled by default), the commands are used accordingly:
ip ssh lockout-policyip ftp lockout-policy
Starting from KeeneticOS
3.1, it is possible to configure PPTP VPN server password brute force authentication for intrusion attempts (this feature is enabled by default). The command to configure it is:vpn-server lockout-policy
You can find complete information on the syntax of the commands mentioned in the article in the CLI Guide in the Download Center.