Overview

By default, cOS Core applies brute force protection to any authentication which involves the validation of username/password credentials against a local user database (a database defined within cOS Core and not an external database). This means that a management login via the Web Interface or SSH is also protected by this feature.

This feature cannot be turned off by the administrator, nor are there any properties which can be adjusted for this mechanism. However, the administrator does have methods available to monitor the activity of the feature and that can allow them to see if such attacks are taking place or have taken place

Protecting Against Brute Force Attacks

A brute force attack is characterized by an external computer connecting to an authenticating device over a network and then repeatedly trying different username/password pairs in rapid succession. This type of attack relies on being able to try many combinations in a short period of time and cOS Core neutralizes this approach by forcing progressively longer waiting time between successive sets of attempts.

If the first few username/password validation attempts fail, there is a small delay before the next attempt can be made. If the next few attempts also fail, there is a longer wait imposed before the next attempt can be made and so on. The increasing wait times make it impractical to try enough credential combinations in order to find a valid one. However, a valid user who simply mistyped their credentials more than once should still be able to be authenticated within a reasonable amount of time.

The Blocked User List

When a certain number of initial username/password validation attempts fail, cOS Core will add the user to a "blocked user list" and they will remain on the list until a reconfigure of cOS Core or a restart. A user on this list has an integer property called Blocked remaining which is a decrementing number of seconds. While Blocked remaining is greater than zero, cOS Core will not try to authenticate new validation attempts. This number will be reset to a new positive value after another failed authentication attempt.

If the Blocked remaining value reaches zero, the user will not be removed from the list for 24 hours, and this allows the administrator to see such blocked users later. However, a Blocked remaining value of zero means that the user can try to make another authentication attempt which cOS Core will not ignore.

Manual Brute Force Settings

The brute force protection feature can be switched on by setting it to Automatic (the default) or to Manual Settings. When switched to Manual Settings, the administrator can specify the following values:

Note that using the manual settings, the number of failed attempts and the lockout time stay constant and don't automatically increase each time the number of failed attempts is reached.

How the User Experiences Brute Force Protection

Even when a user is on the blocked list, they will be allowed to make further validation attempts as though nothing had changed. In other words, even if their credentials are correct, cOS Core will treat those attempts as failed until the Blocked remaining value reaches zero. There will be no indication to the user that they are on the blocked list or how long they must wait. Likewise, a malicious attacker will also get no feedback from cOS Core about why attempts are failing.

Monitoring the Blocked List

cOS Core provides the following methods for examining the users who have been placed on the blocked user list:

Multi-Factor Authentication Provides Additional Security

Another approach which can neutralize brute force attacks is to use multi-factor authentication, where an additional code needs to be entered in addition to standard credentials. This is described further in Section 9.7, Multi-Factor Authentication.