Courseiva
SecurityCCNA 200-301

login block-for Activated — Admin Locked Out Temporarily

Presenting Symptom

The network engineer is unable to SSH or Telnet into a Cisco router; the connection is refused with 'Authentication failed' or 'Connection closed by foreign host' after a few failed login attempts.

Network Context

This occurs in a small branch office with a single Cisco ISR 4331 router running IOS XE 16.9. The router provides WAN connectivity and management access via SSH. The network has a few remote administrators who occasionally mistype passwords. The login block-for feature has been configured to mitigate brute-force attacks, but the threshold is set too low, causing legitimate admins to be locked out temporarily.

Diagnostic Steps

1

Check login block-for status

show login
A login block-for command is in effect.
   Block period: 15 seconds
   Quiet-Mode: enabled
   Watch window: 60 seconds
   Maximum login failures: 3
   Current failures: 3 (last failure at 14:32:45 UTC Mon Mar 1 2021)
   Currently in quiet-mode: YES
   Quiet-Mode remaining time: 10 seconds

If 'Currently in quiet-mode: YES' is shown, the router is actively blocking new login attempts. The 'Current failures' count indicates how many failed attempts triggered the block. If the count is high and quiet-mode is active, this confirms the symptom.

2

Verify failed login attempts

show login failures
Total failed login attempts: 3
   Username: admin    Source: 192.168.1.100    Time: 14:32:30 UTC Mon Mar 1 2021
   Username: admin    Source: 192.168.1.100    Time: 14:32:35 UTC Mon Mar 1 2021
   Username: admin    Source: 192.168.1.100    Time: 14:32:45 UTC Mon Mar 1 2021

This shows the source IP and username of failed attempts. If the failures are from a legitimate admin IP, it suggests the threshold is too low. If from an unknown IP, it indicates an actual attack.

3

Check login block-for configuration

show running-config | include login block-for
login block-for 15 attempts 3 within 60

This confirms the configured parameters: block duration (15 seconds), number of attempts (3), and watch window (60 seconds). A low attempt count (e.g., 3) can easily be exceeded by a legitimate user mistyping a password.

4

Check if quiet-mode is due to misconfiguration or attack

show login quiet-mode
Quiet-Mode: enabled
   Quiet-Mode remaining time: 10 seconds
   Quiet-Mode activated due to: login block-for

If quiet-mode is enabled and activated by 'login block-for', it confirms the feature is causing the lockout. If it were due to another reason (e.g., 'login quiet-mode access-class'), that would indicate a different issue.

Root Cause

The 'login block-for 15 attempts 3 within 60' command is configured with too low a threshold (3 attempts) and too short a watch window (60 seconds). A legitimate administrator mistyped their password three times within 60 seconds, triggering the quiet-mode that blocks all login attempts for 15 seconds. This is a misconfiguration as the threshold does not account for human error.

Resolution

Increase the number of allowed attempts and/or adjust the block period to reduce false lockouts. Example: allow 5 attempts within 120 seconds and block for 60 seconds. Router(config)# login block-for 60 attempts 5 within 120 Router(config)# end Router# write memory

Verification

Run 'show login' to confirm the new parameters and that quiet-mode is not active. Expected output: A login block-for command is in effect. Block period: 60 seconds Quiet-Mode: disabled Watch window: 120 seconds Maximum login failures: 5 Current failures: 0 Currently in quiet-mode: NO Also test SSH access: 'ssh admin@192.168.1.1' should succeed.

Prevention

1. Set the login block-for threshold to a reasonable number (e.g., 5-10 attempts) to accommodate human error while still deterring brute-force attacks. 2. Use 'login quiet-mode access-class' to allow trusted management IPs to bypass the quiet-mode. 3. Implement AAA with local database or TACACS+ to centralize authentication and provide account lockout policies.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario may appear as a troubleshooting question where the candidate must identify why an administrator is locked out. The exam tests understanding of the 'login block-for' command, its parameters (block period, attempts, watch window), and the concept of quiet-mode. A typical multiple-choice question might ask: 'Which command would prevent a legitimate user from being locked out after three failed attempts?'

Exam Tips

1.

Memorize the syntax: 'login block-for <seconds> attempts <number> within <seconds>'.

2.

Remember that quiet-mode blocks all login attempts, including from legitimate users, until the block period expires.

3.

Know that 'show login' displays the current quiet-mode status and failure count; this is the first command to check in a lockout scenario.

Commands Used in This Scenario

show running-config

Displays the current active configuration in DRAM, showing all non-default settings.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions