Learned about a new feature today, thanks to a co-worker, that I never knew about…..IOS quiet-mode. The command reference explains it fairly well starting with the “login block-for” command here. Basically what this allows you to do, is define a maximum login attempts made on the VTY. When these attempts are exceeded, IOS will enter quiet mode. IOS will put an auto-generated access-class in called sl_def_acl that will prevent telnet, ssh and www access. You can also define your own ACL to go into effect when IOS enters quiet mode. Consider the following:
ip access-list extended sshAccess
permit tcp 10.0.0.0 0.255.255.255 eq 22 log
permit tcp 172.16.0.0 0.0.31.255 eq 22 log
permit tcp 192.168.0.0 0.0.255.255 eq 22 log
deny ip any any logip access-list extended quiet-sshAccess
permit tcp 10.1.1.1 0.0.0.0 eq 22 log
deny ip any any log
login block-for 360 attempts 6 within 100
login quiet-mode access-class quiet-sshAccess
The login block-for command has to be entered before you enter the login quiet-mode command. In this example, you would apply the ACL sshAccess to your VTY as normal using an access-class command. Then, you enter the above login commands and quiet-sshAccess ACL, and after 6 attempts within 100 seconds are made, IOS will enter quiet mode for 360 seconds. During the quiet-mode the quiet-sshAccess ACL is in place, so only host 10.1.1.1 can ssh to the device. It’s very simple. With today’s brute force hacking botnets, something like this is very useful. Another good command to combine with it is the login delay command which you can read about here. This allows you to put a delay between login attempts to further hamper brute force login attempts.
