24-13
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
Chapter24 Security Audit
Fix It Page
This configuration change will require every password on the router, including the
user, enable, secret, console, AUX, tty, and vty passwords, to be at least six
characters in length. This configuration change will be made only if the CiscoIOS
version running on your router supports the minimum password length f eature.
The configuration that will be delivered to the router is as follows:
security passwords min-length <6>
Set Authentication Failure Rate to Less Than 3 Retries
Security Audit configures your router to lock access after three unsuccessful login
attempts whenever possible. One method of cracking passwords, called t he
“dictionary” attack, is to use software that attempts to log in using every word in
a dictionary. This configuration causes access to the router to be locked for a
period of 15 seconds after three unsuccessful login attempts, disabling the
dictionary method of attack. In addition to locking access to the router, this
configuration causes a log message to be generated after three unsuccessful login
attempts, warning the administrator of the unsuccessful login attempts.
The configuration that will be delivered to the router to lock router access after
three unsuccessful login attempts is as follows:
security authentication failure rate <3>
Set TCP Synwait Time
Security Audit sets the TCP synwait time to 10 seconds whenever possible. The
TCP synwait time is a value that is useful in defeating SYN flooding attacks, a
form of Denial-of-Service (DoS) attack. A TCP connection requires a three-phase
handshake to initially establish the connection. A connection request is sent by the
originator, an acknowledgement is sent by the receiver, and then an acceptance of
that acknowledgement is sent by the originator. Once this three-phase handshake
is complete, the connection is complete and data transfer can begin. A SYN
flooding attack sends repeated connection requests to a host, but never sends the
acceptance of acknowledgements that complete the connections, creating
increasingly more incomplete connections at the host. Because the buffer for
incomplete connections is usually smaller than the buffer for completed