user-block(AAA view)

Function

The user-block reactive command sets the period for automatically activating blocked users.

The undo user-block reactive command restores the default period for automatically activating blocked users.

The user-block failed-times command enables the device to block users automatically when users consecutively type a specified number of incorrect passwords within a period.

The undo user-block failed-times command disables the device from blocking users automatically when users consecutively type a specified number of incorrect passwords within a period.

By default, the default value is 5 minutes and the system does not allow a user to log in any more if the user fails to be authenticated for five times in five minutes.

Format

user-block failed-times failed-times-value period period-value

user-block reactive reactive-time

undo user-block failed-times

undo user-block reactive

Parameters

Parameter Description Value
period period-value

Specifies the period when users consecutively type incorrect passwords.

The value is an integer ranging from 1 to 120, in minutes.
reactive reactive-time

Specifies the period for automatically activating blocked users.

The value is an integer ranging from 1 to 1000, in minutes. The default value is 5. If the value is 0, blocked users are not automatically activated.
failed-times failed-times-value

Specifies the maximum number of times that users consecutively type incorrect passwords.

The value is an integer ranging from 0 to 10. The default value is 0, meaning that the device does not block users when users consecutively type incorrect passwords.

Views

AAA view

Default Level

3: Management level

Task Name and Operations

Task Name Operations
aaa write

Usage Guidelines

Usage Scenario

The user-block failed-times command can be used to prevent the malicious users from cracking the user password. If an authorized user account is locked due to misoperation, the user-block reactive command can be used. These commands prevent malicious users from cracking the user password one one hand and minimize the influence on user services on the other hand.

A malicious user will try password authentication repeatedly to decrypt the user password. To prevent the user password from being decrypted, run the user-block failed-times command to set the maximum allowed number of successive authentication failures in a specified period of time. If the number of successive authentication failures of a local user in a set period exceeds the allowed number, the local user will be locked. That enhances password security.

Configuration Impact

  • The user-block failed-times command does not affect the established online services of the local user.
  • If the malicious user enters the wrong password repeatedly, the user account will be locked and the authorized user cannot log in to the device either.
  • The user-block reactive command will not affect the remaining locking time of already-locked users.

Follow-up Procedure

he following two ways can be used to unlock the locked user account.

  • Automatic unlocking: The device will unlock the local user account after the user account is locked for a period of time. The user-block reactive command can be used to set the interval at which the local user account is unlocked automatically. By default, the time interval is 5 minutes.
  • Manual unlocking: The authorized user can run the activate command in the user view to forcibly unlock the locked user account due to successive authentication failures.

Example

# Globally set the interval at which the local user account is unlocked automatically to 500 minutes.
<HUAWEI> system-view
[~HUAWEI] aaa
[~HUAWEI-aaa] user-block reactive 500
Parent Topic: AAA and User Management Configuration Commands (Administrative User)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >