Dell PowerSwitch S4112F-ON SmartFabric OS10 Security Best Practices Guide July - Page 14
Con EXEC session timeout, Limit concurrent login sessions
View all Dell PowerSwitch S4112F-ON manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 14 highlights
Rationale: By default, in OS10, SSH is the only protocol that is enabled for remote system access. As the Telnet protocol is not secure, Dell EMC recommends that you do not enable the Telnet server. NOTE: If you have disabled the SSH server, reenable it and disable the Telnet server. Always use SSH for remote system access. Configuration: OS10(config)# ip ssh server enable OS10(config)# ip ssh server max-auth-tries 4 OS10(config)# no ip telnet server enable OS10(config)# exit OS10# write memory Enable SSH access control Rationale: Filter SSH connections to the switch using an access list. Configuration: OS10(config)# ip access-list permit10 OS10(config-ipv4-acl)# permit ip 172.16.0.0 255.255.0.0 any OS10(config-ipv4-acl)# exit OS10(config)# line vty OS10(config-line-vty)# ip access-class permit10 OS10(config-line-vty)# exit OS10(config)# exit OS10# write memory Configure EXEC session timeout Rationale: By default, there is no EXEC timeout configured. To prevent unauthorized access to the EXEC mode, configure a timeout interval. Configuration: OS10(config)# exec-timeout timeout-value OS10(config)# exit OS10# write memory timeout-value-Specify the number of seconds of inactivity on the system before disconnecting the current session (0 to 3600). Limit concurrent login sessions Rationale: To avoid an unlimited number of active sessions on a switch for the same user ID, limit the number of console and remote connections. Configuration: OS10(config)# login concurrent-session limit-number OS10(config)# exit OS10# write memory limit-number-Specify the number of concurrent sessions that any user can have on the console or virtual terminal lines (1 to 12). Ensure user lockout Rationale: Configure the system to prevent the user from logging in to the system for a specific time after a specified number of failed login attempts. Configuration: OS10(config)# password-attributes max-retry number lockout-period minutes OS10(config)# exit OS10# write memory • max-retry number-(Optional) Sets the maximum number of consecutive failed login attempts for a user before the user is locked out, from 0 to 16. • lockout-period minutes-(Optional) Sets the amount of time that a user ID is prevented from accessing the system after exceeding the maximum number of failed login attempts, from 0 to 43,200. Enable login statistics 14 OS10 security best practices