3 Replies Latest reply on Feb 13, 2020 11:11 AM by jayh

    NetVanta 3200's excessive login attemps. 'access-attempts' isn't an available option.

    theartfulpenguin New Member

      We use NetVanta 3200's for T1 termination and seeing excessive login attempts.  We want to use the 'access-attempts' command on page 1982 of the AOS 13.6 command reference.

       

      When we navigate to the proper place in the configuration under, enable/config t/ line console 0, it isn't an option.

      Is there something else that needs to be enabled for that to be an option?

      Is it not an option on the NetVanta 3200? If not is there another way/command to do a time lockout for failed logins?  The max is 30 seconds.  We wish it could be 5 or 10 minutes.

       

      I can post a screenshot of the available options.

       

      I verified the current firmware is AOS 13.6, backup firmware is 13.5.  The command reference states this command was introduced in AOS 11.10.2.

       

      Help.  Thanks. 

        • Re: NetVanta 3200's excessive login attemps. 'access-attempts' isn't an available option.
          jayh Hall_of_Fame

          I assume that the device is exposed to the Internet and you're seeing attempts from random IPs not under your control. This is kind of expected these days, and isn't likely to go away soon. Even if unsuccessful, the constant door-rattling will consume CPU and resources and impact performance. The best way to deal with it is to create an access list containing just the netblocks of your management systems where logins are expected and apply that ACL to the VTY lines and HTTP/S processes. Also shut down telnet and use only SSH for command line access.

           

          !

          ip access-list standard admin-access

            permit [subnet and inverse mask of your trusted IPs]

            permit [Additional trusted subnets as needed]

          !

          !

          http ip access-class admin-access in

          http ip secure-access-class admin-access in

          !

          !

          line telnet 0 4

            shutdown

          line ssh 0 4

            line-timeout 60

            no shutdown

            ip access-class admin-access in

          !