Configuring Account Locking - Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual

Chapter 4 Initial Configuration Tasks
To unlock jsmith's account, reset the password:
Step 4
sensor# configure terminal
sensor(config)# password jsmith
Enter New Login Password: ******
Re-enter New Login Password: ******

Configuring Account Locking

Use the attemptLimit number command in authentication submode to lock accounts so that users cannot
keep trying to log in after a certain number of failed attempts. The default is 0, which indicates unlimited
authentication attempts. For security purposes, you should change this number.
To configure account locking, follow these steps:
Step 1 Log in to the sensor using an account with administrator privileges.
Step 2 Enter service authentication mode:
sensor# configure terminal
sensor(config)# service authentication
Set the number of attempts users will have to log in to accounts:
Step 3
sensor(config-aut)# attemptLimit 3
Check your new setting:
Step 4
sensor(config-aut)# show settings
sensor(config-aut)#
Step 5 To set the value back to the system default setting:
sensor(config-aut)# default attemptLimit
Step 6 Check that the setting has returned to the default:
sensor(config-aut)# show settings
sensor(config-aut)#
Check to see if any users have locked accounts:
Step 7
Note
78-16527-01
attemptLimit: 3 defaulted: 0
attemptLimit: 0 <defaulted>
When you apply a configuration that contains a non-zero value for attemptLimit, a change is
made in the SSH server that may subsequently impact your ability to connect with the sensor.
When attemptLimit is non-zero, the SSH server requires the client to support
challenge-response authentication. If you experience problems after your SSH client connects
but before it prompts for a password, you need to enable challenge-response authentication.
Refer to the documentation for your SSH client for instructions.
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
Configuring User Parameters
4-17