A brute-force attack is a security threat in which an unauthorized user attempts to log into a system. Generally this involves an automated software program trying all possible login passwords and passphrases by trial and error until the correct password is found. Alternatively, the attacker attempts to guess the key, which is typically created from the password using a key derivation function.
To defend against this type of attack, the BMC limits the number of unsuccessful login attempts to four. After four invalid attempts, a user account is automatically disabled for both SSH and web UI logins to the BMC. Note that the number of unsuccessful login attempts is the sum of both SSH and WEB UI login attempts. For example, after two unsuccessful SSH attempts and two from the web UI, a user account is locked. This action is also recorded in an appropriate event log. The server automatically unlocks the user account after 60 seconds, allowing a user to reattempt logging into the BMC.
Refer to Managing SBC Core Users and Accounts for more information on user account security measures.
Follow these steps to demonstrate the user lockout that guards against brute-force password guessing:
Access the SBC BMC GUI using a web browser. The BMC login screen is displayed.
Enter the wrong password for the same username four consecutive times. The user account is locked and a lockout message is displayed, as shown in the following figure.