Account lockout policy, Denial of service implications – Brocade Network OS NETCONF Operations Guide v4.1.1 User Manual
Page 224
192
Network OS NETCONF Operations Guide
53-1003231-02
Password policies
15
The output shows the password stored in encrypted form because the switch-level encryption
level overrides the account level.
When you disable the password encryption service, any new passwords added in clear-text will
be stored as clear-text on the switch. Existing encrypted passwords remain encrypted.
Account lockout policy
The account lockout policy disables a user account when the user exceeds a configurable number
of failed login attempts. A user whose account has been locked cannot log in. SSH login attempts
using locked user credentials are denied without notifying the user of the reason for denial.
The account remains locked until explicit administrative action is taken to unlock the account. A
user account cannot be locked manually. An account not locked cannot be unlocked.
Failed login attempts are tracked on the local switch only. in VCS mode, the user account is locked
only on the switch where the lockout occurred; the same user can still try to log in on another
switch in the VCS Fabric.
The account lockout policy is enforced across all user accounts except for the root account and
accounts with the admin role.
Denial of service implications
The account lockout mechanism may be used to create a denial of service condition by repeatedly
attempting to log in to an account using an incorrect password. Selected privileged accounts, such
as root and admin are exempted from the account lockout policy to prevent them from being locked
out by a denial of service attack. However these privileged accounts may then become the target of
password guessing attacks. Brocade advises that you periodically examine the Security Audit logs
to determine if such attacks are attempted. For information on security audit logging, refer to the
Network OS Message Reference.