4-17
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
78-16527-01
Chapter 4 Initial Configuration Tasks
Configuring User Parameters
Step 4
To unlock jsmith’s account, reset the password:
sensor#
configure terminal
sensor(config)#
password jsmith
Enter New Login Password: ******
Re-enter New Login Password: ******
Configuring Account Locking
Use the
attemptLimit
number
command in authentication submode to lock accounts so that users cannot
keep trying to log in after a certain number of failed attempts. The default is 0, which indicates unlimited
authentication attempts. For security purposes, you should change this number.
To configure account locking, follow these steps:
Step 1
Log in to the sensor using an account with administrator privileges.
Step 2
Enter service authentication mode:
sensor#
configure terminal
sensor(config)#
service authentication
Step 3
Set the number of attempts users will have to log in to accounts:
sensor(config-aut)#
attemptLimit 3
Step 4
Check your new setting:
sensor(config-aut)#
show settings
attemptLimit: 3 defaulted: 0
sensor(config-aut)#
Step 5
To set the value back to the system default setting:
sensor(config-aut)#
default
attemptLimit
Step 6
Check that the setting has returned to the default:
sensor(config-aut)#
show settings
attemptLimit: 0 <defaulted>
sensor(config-aut)#
Step 7
Check to see if any users have locked accounts:
Note
When you apply a configuration that contains a non-zero value for
attemptLimit
, a change is
made in the SSH server that may subsequently impact your ability to connect with the sensor.
When
attemptLimit
is non-zero, the SSH server requires the client to support
challenge-response authentication. If you experience problems after your SSH client connects
but before it prompts for a password, you need to enable challenge-response authentication.
Refer to the documentation for your SSH client for instructions.