Overview

By default, cOS Core applies brute force protection to any authentication which involves the validation of username/password credentials against a local user database (a database defined within cOS Core and not an external database). This means that a management login via the Web Interface or SSH is also protected by this feature.

This feature cannot be disabled by the administrator, but there are related settings that can be adjusted. Methods are also available for monitoring the feature's activity, allowing the administrator to detect whether such attacks are occurring or have occurred.

Protecting Against Brute Force Attacks

A brute force attack is characterized by an external computer connecting to an authenticating device over a network and then repeatedly trying different username/password pairs in rapid succession. This type of attack relies on being able to try many combinations in a short period of time and cOS Core neutralizes this approach by forcing progressively longer waiting time between successive sets of attempts.

If the first few username/password validation attempts fail, there is a small delay before the next attempt can be made. If the next few attempts also fail, there is a longer wait imposed before the next attempt can be made and so on. The increasing wait times make it impractical to try enough credential combinations in order to find a valid one. However, a valid user who simply mistyped their credentials more than once should still be able to be authenticated within a reasonable amount of time.

The Blocked User List

When a certain number of initial username/password validation attempts fail, cOS Core will add the user to a "blocked user list" and they will remain on the list until a reconfigure of cOS Core or a restart. A user on this list has an integer property called Blocked remaining which is a decrementing number of seconds. While Blocked remaining is greater than zero, cOS Core will not try to authenticate new validation attempts. This number will be reset to a new positive value after another failed authentication attempt.

If the Blocked remaining value reaches zero, the user will not be removed from the list for 24 hours, and this allows the administrator to see such blocked users later. However, a Blocked remaining value of zero means that the user can try to make another authentication attempt which cOS Core will not ignore.

Manual Brute Force Settings

Settings related to the Brute Force feature can be found in the Web Interface under Polices > User Authentication > Authentication Settings. The brute force protection feature can be changed by setting it to Automatic (the default) or to Manual Settings. When switched to Manual Settings, the administrator can specify the following values:

Using Manual mode, the user will be locked out for the configured number of seconds each failed attempt.

Using Automatic mode, the lockout time will be extended for each consecutive failed login attempt. Maximum is 30 seconds.

How the User Experiences Brute Force Protection

Even when a user is on the blocked list, they will be allowed to make further validation attempts as though nothing had changed. In other words, even if their credentials are correct, cOS Core will treat those attempts as failed until the Blocked remaining value reaches zero. There will be no indication to the user that they are on the blocked list or how long they must wait. Likewise, a malicious attacker will also get no feedback from cOS Core about why attempts are failing.

Monitoring the Blocked List

cOS Core provides the following methods for examining the users who have been placed on the blocked user list:

Multi-Factor Authentication Provides Additional Security

Another approach which can neutralize brute force attacks is to use multi-factor authentication, where an additional code needs to be entered in addition to standard credentials. This is described further in Section 10.7, Multi-Factor Authentication.