A malicious user may attempt to gain CLI access by means of a dictionary attack, in which a script is used to attempt automatic logins as an ‟admin” user and a dictionary list is used to test all possible passwords. By using the exponential-backoff feature in the config>system>login-control context, the 7210 SAS increases the delay between login attempts exponentially to mitigate attacks.
When a user attempts to log into a router using a Telnet or an SSH session, the system allows a limited number of attempts to enter the correct password. The interval between the unsuccessful attempts change after each try (1, 2, and 4 seconds). If user lockout is configured on the system, the user will be locked out when the number of unsuccessful attempts is exceeded.
However, if lockout is not configured, three password entry attempts are allowed in the first session after the first failure, at fixed 1, 2 and 4 second intervals, and then the session terminates. Users do not have an unlimited number of login attempts per session. After each failed password attempt, the wait period becomes longer until the maximum number of attempts is reached.
The 7210 SAS terminates after four unsuccessful attempts. A wait period is never longer than 4 seconds. The periods are fixed and restart in subsequent sessions.
The config system login-control [no] exponential-backoff command works in conjunction with the config system security password attempts command, which is also a system wide configuration.
*A:ALA-48>config>system# security password attempts
- attempts <count> [time <minutes1>] [lockout <minutes2>]
- no attempts
<count> : [1..64]
<minutes1> : [0..60]
<minutes2> : [0..1440]
Exponential backoff applies to any user and by any login method such as console, SSH and Telnet.
See Configuring login controls. The commands are described in Login, Telnet, SSH and FTP commands.