A brute-force attack is a security threat in which an unauthorized user attempts to log into a system. Generally, this involves an automated software program trying all possible login passwords and passphrases by trial and error until the correct password is found. Alternatively, the attacker attempts to guess the key, typically created from the password, using a key derivation function. To defend against this type of attack, the Baseboard Management Controller (BMC) limits the number of unsuccessful login attempts to four. After four invalid attempts, a user account is automatically disabled for both SSH and web UI logins to the BMC. Note that the number of unsuccessful login attempts is the sum of both SSH and WEB UI login attempts. For example, a user account is locked after two unsuccessful SSH attempts and two from the web UI. This action is also recorded in an appropriate event log. The server automatically unlocks the user account after 60 seconds, allowing a user to reattempt logging into the BMC. Refer to Managing SBC Core Users and Accounts for more information on user account security measures. Follow these steps to demonstrate the user lockout that guards against brute-force password guessing: Start
The user account is locked, and a lockout message is displayed.