Table of Contents
Advertisement
Exponential Login Backoff
A malicious user may attempt to gain CLI access by means of a dictionary attack using a
script to automatically attempt to login as an "admin" user and using a dictionary list to test all
possible passwords.Using the exponential-backoff feature in the config>system>login-
control context the OS increases the delay between login attempts exponentially to mitigate
attacks.
A malicious user may attempt to gain CLI access by means of a dictionary attack using a
script to automatically attempt to login as an "admin" user and using a dictionary list to test all
possible passwords.Using the exponential-backoff feature in the config>system>login-control
context the OS increases the delay between login attempts exponentially to mitigate attacks.
When a user tries to login to a router using a Telnet or an SSH session, there are a limited
number of attempts allowed to enter the correct password. The interval between the
unsuccessful attempts change after each try (1, 2 and 4 seconds). If the system is configured
for user lockout, then the user will be locked out when the number of attempts is exceeded.
However, if lockout is not configured, there are three password entry attempts allowed after
the first failure, at fixed 1, 2 and 4 second intervals, in the first session, and then the session
terminates. Users do not have an unlimited number of login attempts per session. After each
failed password attempt, the wait period becomes longer until the maximum number of
attempts is reached.
The OS terminates after four unsuccessful tries. A wait period will never be longer than 4
seconds. The periods are fixed and will restart in subsequent sessions.
Note that the config>system>login-control>[no] exponential-backoff command works in
conjunction with the config>system>security>password>attempts command which is also
a system wide configuration.
For example:
*A:ALA-48>config>system# security password attempts
- attempts <count> [time <minutes1>] [lockout <minutes2>]
- no attempts
<count>
<minutes1>
<minutes2>
Exponential backoff applies to any user and by any login method such as console, SSH and
Telnet.
Refer to
Telnet, SSH and FTP Commands on page
7950 SR OS System Management Guide
: [1..64]
: [0..60]
: [0..1440]
Configuring Login Controls on page
87. The commands are described in
115.
Security
Login,
Page 49
Advertisement
Table of Contents
