Brute force protection function for the router password
The router's protection against password brute force works for the device's external interfaces on HTTP (TCP/80
), Telnet (TCP/23
) and HTTPS (TCP/443
), SSH, FTP protocols and on the Internet cloud side of the KeenDNS service.
This protection is enabled in the router by default. If someone enters incorrect login credentials 5 times
within 3 minutes
, his IP address will be blocked for 15 minutes
.
This looks as follows:
The intruder accesses the web interface of the router.
He enters an incorrect login and password. Once the protection is triggered, the router's web interface stops responding to requests from the IP address from which the access was attempted.
The system log of the router shows the following entries:
Oct 26 14:30:39 ndm Core::Scgi::Auth: authentication failed for user admin. Oct 26 14:30:43 ndm Core::Scgi::Auth: authentication failed for user test. Oct 26 14:30:47 ndm Core::Scgi::Auth: authentication failed for user user1. Oct 26 14:30:51 ndm Core::Scgi::Auth: authentication failed for user admin. Oct 26 14:30:52 ndm Netfilter::Util::Conntrack: flushed 7 IPv4 connections for 109.252.x.x. Oct 26 14:30:52 ndm Netfilter::Util::BfdManager: "Http": ban remote host 109.252.x.x for 15 minutes. Oct 26 14:45:52 ndm Netfilter::Util::BfdManager: "Http": unban remote host 109.252.x.x.
This function can be controlled via the command-line interface (CLI) of the router. The syntax of the commands is the following:
ip http lockout-policy {threshold} [{duration} [{observation-window}}]] ip telnet lockout-policy {threshold} [{duration} [{observation-window}}]] ip ssh lockout-policy {threshold} [{duration} [{observation-window}]]
where:
threshold
— number of attempts to enter the incorrect password, possible values from4 to 20 attempts
(by default5
);duration
— time in minutes for which the attacker's IP address is blocked, possible values from1 to 60 minutes
(by default15 minutes
);observation-window
— period of time in minutes during which incorrect attempts must occur, after which the counter is reset, possible values from1 to 10 minutes
(by default3 minutes
).In KeeneticOS, logging of failed login attempts to the system via HTTP is disabled by default. You can turn it on with a special command. The system log will then record failed attempts to connect to the router's HTTP web interface. In the command line interface (CLI) of the router, run the commands:
ip http log auth system configuration save
Note
Starting from KeeneticOS
3.7.1
, the password brute force feature operates via the KeenDNS service in the 'Cloud access' mode.
You can find complete information on the syntax of the commands mentioned in the article in the CLI Guide in the Download Center.