Dell PowerSwitch S4112F-ON SmartFabric OS10 Security Best Practices Guide July - Page 14

Con EXEC session timeout, Limit concurrent login sessions

Get Dell PowerSwitch S4112F-ON PDF manuals and user guides View all Dell PowerSwitch S4112F-ON manuals
Add to My Manuals
Save this manual to your list of manuals

Page 14 highlights

Rationale: By default, in OS10, SSH is the only protocol that is enabled for remote system access. As the Telnet protocol is not secure, Dell EMC recommends that you do not enable the Telnet server. NOTE: If you have disabled the SSH server, reenable it and disable the Telnet server. Always use SSH for remote system access. Configuration: OS10(config)# ip ssh server enable OS10(config)# ip ssh server max-auth-tries 4 OS10(config)# no ip telnet server enable OS10(config)# exit OS10# write memory Enable SSH access control Rationale: Filter SSH connections to the switch using an access list. Configuration: OS10(config)# ip access-list permit10 OS10(config-ipv4-acl)# permit ip 172.16.0.0 255.255.0.0 any OS10(config-ipv4-acl)# exit OS10(config)# line vty OS10(config-line-vty)# ip access-class permit10 OS10(config-line-vty)# exit OS10(config)# exit OS10# write memory Configure EXEC session timeout Rationale: By default, there is no EXEC timeout configured. To prevent unauthorized access to the EXEC mode, configure a timeout interval. Configuration: OS10(config)# exec-timeout timeout-value OS10(config)# exit OS10# write memory timeout-value-Specify the number of seconds of inactivity on the system before disconnecting the current session (0 to 3600). Limit concurrent login sessions Rationale: To avoid an unlimited number of active sessions on a switch for the same user ID, limit the number of console and remote connections. Configuration: OS10(config)# login concurrent-session limit-number OS10(config)# exit OS10# write memory limit-number-Specify the number of concurrent sessions that any user can have on the console or virtual terminal lines (1 to 12). Ensure user lockout Rationale: Configure the system to prevent the user from logging in to the system for a specific time after a specified number of failed login attempts. Configuration: OS10(config)# password-attributes max-retry number lockout-period minutes OS10(config)# exit OS10# write memory • max-retry number-(Optional) Sets the maximum number of consecutive failed login attempts for a user before the user is locked out, from 0 to 16. • lockout-period minutes-(Optional) Sets the amount of time that a user ID is prevented from accessing the system after exceeding the maximum number of failed login attempts, from 0 to 43,200. Enable login statistics 14 OS10 security best practices

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
Rationale
: By default, in OS10, SSH is the only protocol that is enabled for remote system access. As the Telnet protocol is not secure,
Dell EMC recommends that you do not enable the Telnet server.
NOTE:
If you have disabled the SSH server, reenable it and disable the Telnet server. Always use SSH for remote system
access.
Configuration
:
OS10(config)# ip ssh server enable
OS10(config)# ip ssh server max-auth-tries 4
OS10(config)# no ip telnet server enable
OS10(config)# exit
OS10# write memory
Enable SSH access control
Rationale
: Filter SSH connections to the switch using an access list.
Configuration
:
OS10(config)# ip access-list permit10
OS10(config-ipv4-acl)# permit ip 172.16.0.0 255.255.0.0 any
OS10(config-ipv4-acl)# exit
OS10(config)# line vty
OS10(config-line-vty)# ip access-class permit10
OS10(config-line-vty)# exit
OS10(config)# exit
OS10# write memory
Configure EXEC session timeout
Rationale
: By default, there is no EXEC timeout configured. To prevent unauthorized access to the EXEC mode, configure a timeout
interval.
Configuration
:
OS10(config)# exec-timeout
timeout-value
OS10(config)# exit
OS10# write memory
timeout-value
—Specify the number of seconds of inactivity on the system before disconnecting the current session (0 to 3600).
Limit concurrent login sessions
Rationale
: To avoid an unlimited number of active sessions on a switch for the same user ID, limit the number of console and remote
connections.
Configuration
:
OS10(config)# login concurrent-session
limit-number
OS10(config)# exit
OS10# write memory
limit-number
—Specify the number of concurrent sessions that any user can have on the console or virtual terminal lines (1 to 12).
Ensure user lockout
Rationale
: Configure the system to prevent the user from logging in to the system for a specific time after a specified number of failed
login attempts.
Configuration
:
OS10(config)# password-attributes max-retry
number
lockout-period
minutes
OS10(config)# exit
OS10# write memory
max-retry
number
—(Optional) Sets the maximum number of consecutive failed login attempts for a user before the user is
locked out, from 0 to 16.
lockout-period
minutes
—(Optional) Sets the amount of time that a user ID is prevented from accessing the system after
exceeding the maximum number of failed login attempts, from 0 to 43,200.
Enable login statistics
14
OS10 security best practices