Skip to main content

User Manual

Brute force protection function for the router password

The router's protection against password brute force works for the device's external interfaces on HTTP (TCP/80), Telnet (TCP/23) and HTTPS (TCP/443), SSH, FTP protocols and on the Internet cloud side of the KeenDNS service.

This protection is enabled in the router by default. If someone enters incorrect login credentials 5 times within 3 minutes, his IP address will be blocked for 15 minutes.

This looks as follows:

  1. The intruder accesses the web interface of the router.

  2. He enters an incorrect login and password. Once the protection is triggered, the router's web interface stops responding to requests from the IP address from which the access was attempted.

  3. The system log of the router shows the following entries:

    Oct 26 14:30:39 ndm Core::Scgi::Auth: authentication failed for user admin.
    Oct 26 14:30:43 ndm Core::Scgi::Auth: authentication failed for user test.
    Oct 26 14:30:47 ndm Core::Scgi::Auth: authentication failed for user user1.
    Oct 26 14:30:51 ndm Core::Scgi::Auth: authentication failed for user admin.
    Oct 26 14:30:52 ndm Netfilter::Util::Conntrack: flushed 7 IPv4 connections for 109.252.x.x.
    Oct 26 14:30:52 ndm Netfilter::Util::BfdManager: "Http": ban remote host 109.252.x.x for 15 minutes.
    Oct 26 14:45:52 ndm Netfilter::Util::BfdManager: "Http": unban remote host 109.252.x.x.

    This function can be controlled via the command-line interface (CLI) of the router. The syntax of the commands is the following:

    ip http lockout-policy {threshold} [{duration} [{observation-window}}]]
    
    ip telnet lockout-policy {threshold} [{duration} [{observation-window}}]]
    
    ip ssh lockout-policy {threshold} [{duration} [{observation-window}]]
    
    vpn-server lockout-policy {threshold} [{duration} [{observation-window}]]

    where:

    threshold — number of attempts to enter the incorrect password, possible values from 4 to 20 attempts (by default 5);

    duration — time in minutes for which the attacker's IP address is blocked, possible values from 1 to 60 minutes (by default 15 minutes);

    observation-window — period of time in minutes during which incorrect attempts must occur, after which the counter is reset, possible values from 1 to 10 minutes (by default 3 minutes).

    For models supporting USB storage devices, there is also a command for protection against brute force attacks on the built-in FTP server:

    ip ftp lockout-policy {threshold} [{duration} [{observation-window}]]

    In KeeneticOS, logging of failed login attempts to the system via HTTP is disabled by default. You can turn it on with a special command. The system log will then record failed attempts to connect to the router's HTTP web interface. In the command line interface (CLI) of the router, run the commands:

    ip http log auth
    system configuration save

    Note

    • Starting from KeeneticOS 3.7.1, the password brute force feature operates via the KeenDNS service in the 'Cloud access' mode.

    • Starting from KeeneticOS 2.12, it is possible to set the intrusion detection parameters by brute-forcing SSH and FTP server passwords for public interfaces (enabled by default). The following commands are used for this respectively:

      • ip ssh lockout-policy

      • ip ftp lockout-policy

    • Starting from KeeneticOS 3.1, it is possible to configure PPTP server password brute force authentication for intrusion attempts (this feature is enabled by default). The command to configure it is:

      • vpn-server lockout-policy

    You can find complete information on the syntax of the commands mentioned in the article in the CLI Guide in the Download Center.