login block-for [secs] attempts [n] within [secs]
Configures the router to block login attempts from a source IP address after a specified number of failed attempts within a given time window, used to prevent brute-force attacks on VTY lines.
login block-for [secs] attempts [n] within [secs]When to Use This Command
- Protect SSH/Telnet access to a router from brute-force password guessing attacks
- Comply with security policies that require rate-limiting on management access
- Prevent repeated failed login attempts from a compromised host in the network
- Reduce CPU load from continuous authentication failures by temporarily blocking offending IPs
Command Examples
Basic login block configuration
login block-for 120 attempts 5 within 60Router(config)# login block-for 120 attempts 5 within 60 Router(config)#
No output is generated upon successful configuration. The command sets a policy that after 5 failed login attempts within 60 seconds from the same source IP, that IP will be blocked for 120 seconds.
Verifying login block configuration
show loginLogin Blocking Configuration: Login block-for 120 attempts 5 within 60 Current login failures: 0 Current login block time: 0 Login failures per host: 0 Login block per host: 0 Login quiet-mode access-class: not configured Login quiet-mode: OFF Login attack: OFF Login delay: 1 second Login on-failure log: enabled Login on-success log: enabled Login successful: 0 Login failures: 0 Login failures per host: 0 Login block per host: 0 Login block time: 0
The output shows the configured parameters: block time (120 seconds), attempts (5), and within (60 seconds). Current counters are zero because no failures have occurred. 'Login quiet-mode' is OFF, meaning no IP is currently blocked. 'Login attack' is OFF, indicating no attack is detected. 'Login delay' is 1 second (default). Logging for failure and success is enabled.
Understanding the Output
The 'show login' command displays the current login blocking configuration and statistics. Key fields: 'Login block-for' shows the configured block time, attempts, and window. 'Current login failures' is the total count of failed logins since last reset. 'Current login block time' shows remaining block time if a block is active. 'Login failures per host' shows the number of failed attempts from each source IP. 'Login block per host' indicates if a specific IP is currently blocked. 'Login quiet-mode' shows ON if any IP is blocked. 'Login attack' shows ON if the number of failed attempts from any host exceeds the threshold. 'Login delay' is the time between successive login prompts (default 1 second). 'Login on-failure log' and 'Login on-success log' indicate whether logging is enabled. 'Login successful' and 'Login failures' are cumulative counters. In a real scenario, if an attack occurs, you would see 'Login attack: ON' and 'Login quiet-mode: ON' with non-zero block times. Good values are zero failures and no blocks. Watch for high failure counts or active blocks indicating a brute-force attempt.
CCNA Exam Tips
CCNA exam may ask: 'Which command blocks login attempts after 3 failures within 30 seconds for 60 seconds?' Answer: 'login block-for 60 attempts 3 within 30'
Remember that 'login block-for' is a global config command, not applied per line; it affects all VTY lines.
The exam might test that 'show login' displays whether quiet-mode is ON (blocking active) or OFF.
Know that the default login delay is 1 second; 'login delay' can be used to increase it.
Common Mistakes
Mistake: Applying 'login block-for' under VTY line configuration instead of global config. Consequence: Command is rejected or has no effect.
Mistake: Confusing the order of parameters (e.g., 'login block-for 5 attempts 120 within 60'). Consequence: The command is still accepted but the logic is wrong (block time becomes 5 seconds, attempts 120).
Mistake: Forgetting that the block applies per source IP, not globally. Consequence: Misinterpreting the behavior when multiple hosts fail.
Related Commands
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions