I cannot find out how to set a login lockout after a certain number of attempts. I have been viewing my log files and they are filled with people trying to log in 20 times at least. Since this is a "Pro" model - I know it is for small business, I would think that there is a way to limit that number. Regards,Scott

We already implemented the feature to lock out the account for 10~15 minutes after a few repeated failure of incorrect username/password. The # of failures is a system level number that applies to every account, not configurable on each account level.

YeZ wrote:We already implemented the feature to lock out the account for 10~15 minutes after a few repeated failure of incorrect username/password.This is where some DoS can happen (same on the newer Local UI access on the switches btw.), the bad boys are sneaking admin and random or dictionary password attempts over hours or days, and the effective admin (coming from a different IP address typically) remains locked out virtually forever. YeZ wrote:The # of failures is a system level number that applies to every account, not configurable on each account level. How many different accounts can exist on the subject SRR60/SRS60? One! It's just admin. No other administrative user accounts can be added my friend. As I said several times before - the lockout must be based on the source IP - IPv4 and IPv6 - address, not on the one and only default username.

YeZ wrote:What I posted was towards Cloud-based Insight login, not the local login attempts on the router itself. Same here - also the cloud login must block by IP and username, not killing the real user if an acount or the cloud authentication system is under attack.

Understood RaghuHR. BUT that is not a small business solution, that is a consumer solution. You shoudl be able to autoblock after X occurences from a specific IP for a set peiod of time. Scott

On a system with just one single username, you don't want to have an account lockout. say you are exposing the administration to the wild Internet, and when under say "investigation" by the bad guys over a longer period - you will never be able to login again. Of course, a feature as offered by fail2ban lockout of sneaking IP addresses would be required in this product class. The Netgear team in charge (with mostly consumer background) for the Orbi systems does not like to work and talk to me because I'm nasty and often complain about such issues and limitations. YeZ another infamous 🙈 🙉 🙊 case.

Account Lockout after X Attempts - SRR60

14 Replies

schumaku
Guru - Experienced User
Jan 26, 2021
On a system with just one single username, you don't want to have an account lockout. say you are exposing the administration to the wild Internet, and when under say "investigation" by the bad guys over a longer period - you will never be able to login again.

Of course, a feature as offered by fail2ban lockout of sneaking IP addresses would be required in this product class.

The Netgear team in charge (with mostly consumer background) for the Orbi systems does not like to work and talk to me because I'm nasty and often complain about such issues and limitations. YeZ another infamous 🙈 🙉 🙊 case.
YeZ
NETGEAR Expert
Jan 26, 2021
We already implemented the feature to lock out the account for 10~15 minutes after a few repeated failure of incorrect username/password. The # of failures is a system level number that applies to every account, not configurable on each account level.
- schumaku
  Guru - Experienced User
  Jan 26, 2021
  YeZ wrote:
  We already implemented the feature to lock out the account for 10~15 minutes after a few repeated failure of incorrect username/password.
  This is where some DoS can happen (same on the newer Local UI access on the switches btw.), the bad boys are sneaking admin and random or dictionary password attempts over hours or days, and the effective admin (coming from a different IP address typically) remains locked out virtually forever.
  
  YeZ wrote:
  The # of failures is a system level number that applies to every account, not configurable on each account level.
  How many different accounts can exist on the subject SRR60/SRS60? One! It's just admin. No other administrative user accounts can be added my friend.
  
  As I said several times before - the lockout must be based on the source IP - IPv4 and IPv6 - address, not on the one and only default username.
- scottdrynan
  Tutor
  Jan 26, 2021
  Is there a reason why you cannot block by IP?
  - schumaku
    Guru - Experienced User
    Jan 26, 2021
    scottdrynan wrote:
    Is there a reason why you cannot block by IP?
    Because the spec were "enhanced" in a wrong direction probably - to some 1995 consumer product implementations of another router maker devices one might guess?
    
    Or (as another community member mentioned these hours <3 ) because Hardware Business School profit ideas have been replaced MIT engineering.