Enabling/Disabling Brute Force Attack Protection - Siemens RX1500 User Manual

Chapter 5
Setup and Configuration
Parameter
Listen Port
Extra IP:Ports
Maximum Number of WebUI Sessions
Idle Timeout
SSL Redirect Enabled
Client Certificate Verification
4. Click Commit to save the changes or click Revert All to abort. A confirmation dialog box appears. Click OK
to proceed.
5. Click Exit Transaction or continue making changes.
Section 5.6

Enabling/Disabling Brute Force Attack Protection

ROX II features a Brute Force Attack (BFA) protection mechanism to prevent attacks via the CLI, Web interface
and NETCONF. This mechanism analyzes the behavior of external hosts trying to access the SSH port,
specifically the number of failed logins. After 15 failed login attempts, the IP address of the host will be blocked
for 720 seconds or 12 minutes. The range of 15 failed login attempts exists to take into account various methods
of accessing the device, notably when the same or different ports are used across a series of failed logins.
IMPORTANT!
The BFA protection system is not applicable to SNMP. Follow proper security practices for configuring
SNMP. For example:
• Do not use SNMP over the Internet
246
Description
Synopsis: The port-number type represents a 16-bit port number of an Internet
transport layer protocol such as UDP, TCP, DCCP, or SCTP. Port numbers are assigned
by IANA. A current list of all assignments is available from <http://www.iana.org/>. Note
that the port number value zero is reserved by IANA. In situations where the value
zero does not make sense, it can be excluded by subtyping the port-number type. In
the value set and its semantics, this type is equivalent to the InetPortNumber textual
convention of the SMIv2.
Default: 443
The port on which the WebUI listens for WebUI requests.
Synopsis: "extra-ip-ports" occurs in an unbounded array
The WebUI will also listen on these IP Addresses. For port values, add ':#' to set non-
default port value. (ie. xxx.xxx.xxx.xxx:19343 [::] [::]:16000). If using the default address,
do not specify another listen address with the same port.
Synopsis: unbounded
Default: 20
The maximum number of concurrent WebUI sessions
Default: PT30M
The maximum idle time before terminating a WebUI session. If the session is waiting for
notifications, or has a pending confirmed commit, the idle timeout is not used. A value of
0 means no timeout. PT30M means 30 minutes.
Default: true
Redirects traffic from port 80 to port 443. If disabled, port 80 will be closed.
Synopsis: none, peer, fail-if-no-peer-cert
Default: none
Client certificate verifaction level
Level of verification the server does on client certificates
• none - It does not do any verification.
• peer - The server will ask the client for a client-certificate but not fail if the client does
not supply a client-certificate.
• fail-if-no-peer-cert - The server requires the client to supply a client certificate.
Enabling/Disabling Brute Force Attack Protection
RUGGEDCOM ROX II
User Guide