Brute force protection function for the router password

The router's protection against password brute force works for the device's external interfaces on HTTP (TCP/80), Telnet (TCP/23) and HTTPS (TCP/443) protocols.

This protection is enabled in the router by default. If someone enters incorrect login credentials 5 times within 3 minutes, his IP address will be blocked for 15 minutes.

This looks as follows:

1. The intruder accesses the web interface of the router.

2. He enters an incorrect login and password. Once the protection is triggered, the router's web interface stops responding to requests from the IP address from which the access was attempted.

3. The system log of the router shows the following entries:

Oct 26 14:30:39 ndm
Core::Scgi::Auth: authentication failed for user admin.
Oct 26 14:30:43 ndm
Core::Scgi::Auth: authentication failed for user test.
Oct 26 14:30:47 ndm
Core::Scgi::Auth: authentication failed for user user1.
Oct 26 14:30:51 ndm
Core::Scgi::Auth: authentication failed for user admin.
Oct 26 14:30:52 ndm
Netfilter::Util::Conntrack: flushed 7 IPv4 connections for 109.252.x.x.
Oct 26 14:30:52 ndm
Netfilter::Util::BfdManager: "Http": ban remote host 109.252.x.x for 15 minutes.
Oct 26 14:45:52 ndm
Netfilter::Util::BfdManager: "Http": unban remote host 109.252.x.x.

This function can be controlled via the command-line interface (CLI) of the router. The syntax of the commands is the following:

ip http lockout-policy {threshold} [{duration} [{observation-window}}]]

ip telnet lockout-policy {threshold} [{duration} [{observation-window}}]]



threshold — number of attempts to enter the incorrect password, possible values from 4 to 20 attempts (by default 5);

duration — time in minutes for which the attacker's IP address is blocked, possible values from 1 to 60 minutes (by default 15 minutes);

observation-window — period of time in minutes during which incorrect attempts must occur, after which the counter is reset, possible values from 1 to 10 minutes (by default 3 minutes).

Older versions of KeeneticOS have the option to log failed login attempts disabled by default for the HTTP protocol. You can turn it on with a special command. The system log will then record failed attempts to connect to the router's HTTP web interface. In the command line interface (CLI) of the router, run the commands:

ip http log auth
system configuration save


TIP: Note

1. The password brute force feature does not work via the KeenDNS service in the 'Cloud access' mode. Typically, robots only scan IP addresses and therefore, this protection is not as relevant when working via the cloud.

2. Starting from KeeneticOS 2.12, it is possible to set the intrusion detection parameters by brute-forcing SSH and FTP server passwords for public interfaces (enabled by default). The following commands are used for this respectively:
ip ssh lockout-policy
ip ftp lockout-policy

3. Starting from KeeneticOS 3.1, it is possible to configure PPTP server password brute force authentication for intrusion attempts (this feature is enabled by default). The command to configure it is:
vpn-server lockout-policy

You can find complete information on the syntax of the commands mentioned in the article in the CLI Guide in the Download Center.


Was this article helpful?

45 out of 46 found this helpful

Have more questions? Submit a request