How to Stop Repeated Failed Login Attempts on Cisco Routers & Switches (Complete Security Guide)
Are you seeing a high number of failed login attempts on your Cisco router or switch? Worried that hackers might be trying to brute-force their way into your device? In this guide, I will show you how to protect your Cisco equipment against repeated login failures using simple but powerful IOS commands.
Cisco IOS allows you to block attackers, delay login attempts, log events, and automatically logout idle sessions, making your devices far more secure. Let’s go step by step.
🚨 Why You Need to Protect Login Access
Attackers commonly use automated tools to try thousands of username/password combinations. By enabling Cisco’s login security features, you can:
-
Block login attempts after a certain threshold.
-
Slow down brute-force attacks by introducing a time delay.
-
Only allow trusted IPs to try again during lockdown.
-
Log failed and successful logins for auditing.
-
Automatically log out inactive users.
🔐 Step-by-Step Cisco IOS Configuration
✅ 1. Temporarily block login attempts after multiple failures:
Router(config)# login block-for 120 attempts 3 within 60
Blocks ALL new login attempts for 120 seconds (2 minutes) if 3 failures happen within 60 seconds.
✅ 2. Allow only trusted IPs during “quiet-mode”:
Router(config)# access-list 50 permit 192.168.1.0 0.0.0.255
Router(config)# login quiet-mode access-class 50
While the device is in lockdown (quiet-mode), only IPs from 192.168.1.0/24 can attempt login.
✅ 3. Add a delay between login tries:
Router(config)# login delay 3
Adds a 3-second delay between failed login attempts – extremely effective against automated attacks.
✅ 4. Log every failed login attempt:
Router(config)# login on-failure log every 1
Records every failed login in the syslog.
✅ 5. Log every successful login:
Router(config)# login on-success log every 1
Records successful logins so you know who is gaining access.
✅ 6. Auto log out idle users:
Router(config)# line vty 0 4
Router(config-line)# exec-timeout 5 0
Logs out users after 5 minutes of inactivity on Telnet/SSH terminal (VTY lines).
🔍 VERIFICATION COMMANDS
Use the following commands to check if your protection is working properly:
show login
show login attempts
show access-lists 50
💡 Best Practices (Highly Recommended)
-
Use SSH only, disable Telnet (
transport input ssh). -
Configure usernames, not only enable/secret passwords.
-
Use strong passwords or (even better) AAA with TACACS+/RADIUS.
-
Enable syslog to remote logging server for permanent evidence.
✅ Conclusion
By using these simple configuration steps, you can greatly reduce the risk of unauthorized access to your Cisco routers and switches. These features are built-in and take only minutes to deploy — but could save your network from disaster.
Want more Cisco security guides like this? Leave a comment below and don’t forget to share this blog with your fellow network engineers!
%20(3).png)
Comments
Post a Comment