Check: CISR-ND-000015
Cisco ISR 4000 Series NDM STIG:
CISR-ND-000015
(in version v1 r1)
Title
The Cisco ISR 4000 Series router must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. (Cat II impact)
Discussion
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.
Check Content
Verify that the Cisco ISR 4000 Series router limits the number of consecutive invalid login attempts to "3" within "15" minutes. The configuration should look similar to the example below: ip ssh authentication-retries 3 login block-for 18000 attempts within 900 If the number of consecutive login attempts is not set to "3" within "15" minutes, this is a finding.
Fix Text
Configure SSH using: ip ssh authentication-retries 3 login block-for 18000 attempts within 900
Additional Identifiers
Rule ID:
Vulnerability ID: V-73973
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000044 |
The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period. |
Controls
Number | Title |
---|---|
AC-7 |
Unsuccessful Logon Attempts |