A brute-force attack is well known as a major security threat to servers. The attackers generally involve an automated software program that checks for all possible passwords and pass phrases by trial and error until the correct password is found. Alternatively, the attacker can attempt to guess the key, which is typically created from the password using a key derivation function.
To defend against brute-force attacks to the BMC, the number of unsuccessful login attempts allowed is four. After four attempts, the user account is disabled by default for both SSH and Web UI logins to the BMC. Note that the number of unsuccessful login attempts equals sum of both SSH and WEB UI login attempts. For Example, If two unsuccessful attempts are made from SSH and two from the WEB UI, the user account is locked by the server. This action is recorded in an appropriate event log. The server automatically unlocks the user account after 60 seconds, whereby a user can reattempt to login to the BMC.”
- Administrators must re-apply the security settings after every software installation or upgrade.
- This feature applies specifically for BMC Web UI and SSH login.
To know more about Brute Force Password Guessing, refer to Managing SBC Core Users and Accounts.
Follow these steps to know the defend against the Brute Force Password Guessing attempts:
Access SBC BMC GUI using a web browser. The BMC login screen is displayed.
Enter the wrong username and password for four consecutive attempts. The User gets locked and a message is displayed stating "User Is Locked, Please Try After 60 sec".
- Refresh the browser after 60 seconds. The login page re-appears for inputs.