Brute force protection function for the router password
The router's protection against password brute force works for the device's external interfaces on HTTP (TCP/80), Telnet (TCP/23) and HTTPS (TCP/443), SSHv2, FTP protocols and on the Internet cloud side of the KeenDNS service.
This protection is enabled in the router by default. If someone enters incorrect login credentials 5 times within 3 minutes, his IP address will be blocked for 15 minutes.
This looks as follows:
- The intruder accesses the web interface of the router. 
- He enters an incorrect login and password. Once the protection is triggered, the router's web interface stops responding to requests from the IP address from which the access was attempted. 
- The system log of the router shows the following entries: - Oct 26 14:30:39 ndm Core::Scgi::Auth: authentication failed for user admin. Oct 26 14:30:43 ndm Core::Scgi::Auth: authentication failed for user test. Oct 26 14:30:47 ndm Core::Scgi::Auth: authentication failed for user user1. Oct 26 14:30:51 ndm Core::Scgi::Auth: authentication failed for user admin. Oct 26 14:30:52 ndm Netfilter::Util::Conntrack: flushed 7 IPv4 connections for 109.252.x.x. Oct 26 14:30:52 ndm Netfilter::Util::BfdManager: "Http": ban remote host 109.252.x.x for 15 minutes. Oct 26 14:45:52 ndm Netfilter::Util::BfdManager: "Http": unban remote host 109.252.x.x. - This function can be controlled via the command-line interface (CLI) of the router. The syntax of the commands is the following: - ip http lockout-policy {threshold} [{duration} [{observation-window}}]] ip telnet lockout-policy {threshold} [{duration} [{observation-window}}]] ip ssh lockout-policy {threshold} [{duration} [{observation-window}]] vpn-server lockout-policy {threshold} [{duration} [{observation-window}]]- where: - threshold— number of attempts to enter the incorrect password, possible values from- 4 to 20 attempts(by default- 5);- duration— time in minutes for which the attacker's IP address is blocked, possible values from- 1 to 60 minutes(by default- 15 minutes);- observation-window— period of time in minutes during which incorrect attempts must occur, after which the counter is reset, possible values from- 1 to 10 minutes(by default- 3 minutes).- In KeeneticOS, logging of failed login attempts to the system via HTTP is disabled by default. You can turn it on with a special command. The system log will then record failed attempts to connect to the router's HTTP web interface. In the command line interface (CLI) of the router, run the commands: - ip http log auth system configuration save - Here is an example of system log messages about web connection attempts (our example shows the first message about an unsuccessful connection attempt, and the second message shows information about a successful connection to the web): - Oct 18 10:42:43 ndm Core::Scgi::Auth: authentication failed for user "admin" from "172.16.18.33". Oct 18 10:43:11 ndm Core::Scgi::Auth: opened session "OIZROUQRLNJEMZTZ" for user "admin" from "172.16.18.33". - Note- Starting from KeeneticOS - 3.7.1, the password brute force feature operates via the KeenDNS service in the Cloud access mode.
- To set the parameters for tracking intrusion attempts by brute-force SSH and FTP server passwords for public interfaces (enabled by default), the commands are used accordingly: - ip ssh lockout-policy
- ip ftp lockout-policy
 
- Starting from KeeneticOS - 3.1, it is possible to configure PPTP VPN server password brute force authentication for intrusion attempts (this feature is enabled by default). The command to configure it is:- vpn-server lockout-policy
 
 - You can find complete information on the syntax of the commands mentioned in the article in the CLI Guide in the Download Center.