- Table of Contents
- 09-Security Command Reference
- 01-AAA commands
- 02-802.1X commands
- 03-MAC authentication commands
- 04-Portal commands
- 05-Web authentication commands
- 06-Port security commands
- 07-User profile commands
- 08-Password control commands
- 09-Public key management commands
- 10-PKI commands
- 11-IPsec commands
- 12-SSH commands
- 13-SSL commands
- 14-Attack detection and prevention commands
- 15-TCP attack prevention commands
- 16-IP source guard commands
- 17-ARP attack protection commands
- 18-ND attack defense commands
- 19-uRPF commands
- 20-SAVI commands
- 21-MFF commands
- 22-Crypto engine commands
- 23-FIPS commands
- 24-802.1X client commands
- Related Documents
|14-Attack detection and prevention commands||35.88 KB|
Use attack-defense login reauthentication-delay to enable the login delay feature.
Use undo attack-defense login reauthentication-delay to restore the default.
attack-defense login reauthentication-delay seconds
undo attack-defense login reauthentication-delay
The login delay feature is disabled. The device does not delay accepting a login request from a user who has failed a login attempt.
Predefined user roles
seconds: Specifies the delay period in the range of 4 to 60 seconds.
The login delay feature delays the device to accept a login request from a user after the user fails a login attempt. This feature can slow down login dictionary attacks.
The login delay feature is independent of the login attack prevention feature.
# Enable the login delay feature and set the delay period to 5 seconds.
[Sysname] attack-defense login reauthentication-delay 5
Use attack-defense tcp fragment enable to enable TCP fragment attack prevention.
Use undo attack-defense tcp fragment enable to disable TCP fragment attack prevention.
attack-defense tcp fragment enable
undo attack-defense tcp fragment enable
TCP fragment attack prevention is enabled.
Predefined user roles
This command enables the device to drop attack TCP fragments to prevent TCP fragment attacks that the packet filter cannot detect. As defined in RFC 1858, attack TCP fragments refer to the following TCP fragments:
· First fragments in which the TCP header is smaller than 20 bytes.
· Non-first fragments with a fragment offset of 8 bytes (FO=1).
TCP fragment attack prevention takes precedence over single-packet attack prevention. When both are used, incoming TCP packets are processed first by TCP fragment attack prevention and then by the single-packet attack defense policy.
# Enable TCP fragment attack prevention.
[Sysname] attack-defense tcp fragment enable