• Admin Settings > Security > Global Security > Authentication > Enable Active Directory
External Authentication is enabled, a valid Active Directory Server Address is configured, as
are both the Active Directory Admin Group and Active Directory User Group settings.
• Admin Settings > Security > Global Security > Access > Enable Legacy API Over SSH, Lock
SSH Port after Failed Logins is set to 3, SSH Port Lock Duration is set to 1 Minute, and Reset
SSH Port Lock Counter After is set to 1 Hour.
• Admin Settings > Security > Global Security > Access > Lock Port after Failed Logins is set to
4.
Scenario 1: Web interface locked due to excessive failed logins
A user fails to log in to the local Admin account two times on the system web interface, and another user
fails to log in to the external Active Directory ‘SuperUser' account in a separate system web interface
session. The ‘SuperUser' account is defined as part of the Active Directory Admin Group on the Active
Directory Server.
This means that three failed attempts have been made on the system web interface port—two by one
user and one by a second user. If the next attempt to log in to the system web interface by either user or
some other user is successful, the failed login counter for the system web interface port is reset to zero,
allowing 4 more failed attempts to occur on the system web interface.
On the other hand, if after the third failed login attempt, any user makes a fourth unsuccessful attempt to
any account on the system web interface, further attempts to access the system web interface using any
account credentials from any user are locked out for 1 Minute, the value of the SSH Port Lock Duration
period. After the 1 Minute port lock period has past, logins will once again be allowed. As this example
illustrates, the failed login attempts made to the system web interface accumulate across any attempts to
any account and/or by any user.
Scenario 2: Failed attempts counter resets after failed login window closes
A user fails to log in to the local Admin account two times on the system web interface, and another user
fails to log in to the external Active Directory ‘SuperUser' account in a separate system web interface
session. The ‘SuperUser' account is defined as part of the Active Directory Admin Group on the Active
Directory Server.
This means that three failed attempts have been made on the system web interface port—two by one
user and one by a second user. If no more failed attempts are made within 1 Hour of the first failed
attempt (which is the value of the Reset SSH Port Lock Counter After setting), the failed login attempts
counter is reset to zero, and 4 failed attempts are allowed again before the system web interface is
locked.
Related Links
Configure Remote Access on page 85
Enable a Whitelist on page 95
Enable Access to User Settings on page 90
Configure Account Lockout on page 89
Configure Port Lockout Settings
You can limit the number of failed login attempts to your system interface to protect against brute-force
attacks.
If the number of failed login attempts during this window doesn’t reach the maximum number allowed, the
system sets the failed login attempts counter to zero at the end of this window.
Securing the System
Polycom, Inc. 94
To Next Page
Loading...
Need help?
General
