Monday, 6 October 2014

Quiet Mode on ME3x00 Platforms

The Cisco ME3x00 range of devices comes with automatic lockout for SSH as default. If too many bad login attempts are made within a short period of time, the device will go into a locked down state called "quiet mode" which blocks any new management connections.

In a default configuration, entering quiet mode causes the device to completely refuse any and all new telnet, SSH and port 80 sessions directed towards it. Existing (open) sessions are not affected. If you've ever tried a couple of credentials out, then suddenly started getting "connection refused", you have probably run into this feature!

The default threshold and timer values are as follows:

  • An artificial 1 second delay is added to each login
  • 5 bad logins within 60 seconds triggers a lockout
  • lockout lasts 5 minutes

If that's all you needed to know then I suppose you can go now :)

If you're interested in checking / tweaking the settings, read on.

The commands to view and edit settings relevant to this feature all centre around "login", for example:


ME3x00#show login
     A default login delay of 1 seconds is applied.
     No Quiet-Mode access list has been configured.

     Router enabled to watch for login Attacks.
     If more than 5 login failures occur in 60 seconds or less,
     logins will be disabled for 300 seconds.

     Router presently in Normal-Mode.
     Current Watch Window remaining time 37 seconds.
     Present login failure count 1.

ME3x00#

One thing to note here is that if you try to authenticate with public keys (like openssh and others do by default) it will refuse and count that as a failure. If you bail out at the password prompt (i.e. ctrl-C or leave it time out) then that also counts as a failure. It doesn't take long to get to 5! Attempts blocked by the VTY ACLs don't count.

If you would like to force a longer delay between login attempts, you can adjust the value (between 1 and 10 seconds) under config mode as follows:

ME3x00(config)# login delay 5

The lockout thresholds can easily be changed using the following command:

ME3x00(config)# login block-for 120 attempts 10 within 60

This example would cause the device to trigger a two minute lockdown into quiet mode if it saw 10 failed logins within 60 seconds.

Now the 5 minute default logout is quite a long time and being able to force a lockdown could be advantageous to attackers - if you can prevent an administrator from being able to log into a device then it makes it far more difficult for him to detect and / or mitigate attacks on the network. Luckily there is a feature available to effectively whitelist management traffic that should always be allowed through, even when the device goes into lockdown. This comes in the form of the "login quiet-mode access-class", which basically decides what access controls are put in place when the device enters quiet mode. By default, the quiet-mode access-class is set to "sl_def_acl", which is an omnipresent ACL which looks like this:

ME3x00#show ip access-list sl_def_acl
Extended IP access list sl_def_acl
    10 deny tcp any any eq telnet (7 matches)
    20 deny tcp any any eq www
    30 deny tcp any any eq 22 (72 matches)
    40 permit ip any any

ME3x00#

In order to provide back door access when the device enters quiet mode, simply define an ACL which permits the desired traffic but blocks all other management traffic, such as:

ME3x00(config)#ip access-list extended quiet_mode_access
ME3x00(config-ext-nacl)#permit tcp host 10.1.1.1 any eq 22
ME3x00(config-ext-nacl)#deny tcp any any eq telnet
ME3x00(config-ext-nacl)#deny tcp any any eq www
ME3x00(config-ext-nacl)#deny tcp any any eq 22 
ME3x00(config-ext-nacl)#exit

Then apply it to the box using:

ME3x00(config)#login quiet-mode access-class quiet_mode_access 

That way a dedicated management box (10.1.1.1) will always be able to connect and manage the device, even if it is in quiet mode, while everything else will be locked out.

Logging


The device also generates some helpful syslog messages to tell you what it's doing, for example here is my device going into quiet mode:

%SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 22 secs, [user: billybob] [Source: 10.10.10.10] [localport: 22] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 16:30:00 BST Sun Oct 5 2014

And coming out again:

%SEC_LOGIN-5-QUIET_MODE_OFF: Quiet Mode is OFF, because block period timed out at 16:35:00 BST Sun Oct 5 2014

References


Cisco IOS Security Configuration Guide