A brute-force attack is a security threat in which an unauthorized user attempts to log into a system. Generally this involves an automated software program trying all possible login passwords and passphrases by trial and error until the correct password is found. Alternatively, the attacker attempts to guess the key, which is typically created from the password using a key derivation function.

To defend against this type of attack, the BMC limits the number of unsuccessful login attempts to four. After four invalid attempts, a user account is automatically disabled for both SSH and web UI logins to the BMC. Note that the number of unsuccessful login attempts is the sum of both SSH and WEB UI login attempts. For example, after two unsuccessful SSH attempts and two from the web UI, a user account is locked. This action is also recorded in an appropriate event log. The server automatically unlocks the user account after 60 seconds, allowing a user to reattempt logging into the BMC.

Note
  • Administrators must re-apply security settings after every software installation or upgrade.
  • This feature applies specifically to BMC web UI and SSH login.

Refer to Managing SBC Core Users and Accounts for more information on user account security measures.

Follow these steps to demonstrate the user lockout that guards against brute-force password guessing:

  1. Access the SBC BMC GUI using a web browser. The BMC login screen is displayed.

    SBC BMC Login Screen

  2. Enter the wrong password for the same username four consecutive times. The user account is locked and a lockout message is displayed, as shown in the following figure.

    Brute Force Password Guessing - Locked User

  3. After 60 seconds have elapsed, refresh the browser. The login page re-appears and accepts input.