2.1.1.1.5 Set maximum value for 'ip ssh authentication-retries'

Information

The number of retries before the SSH login session disconnects.

This limits the number of times an unauthorized user can attempt a password without having to establish a new SSH login attempt. This reduces the potential for success during online brute force attacks by limiting the number of login attempts per SSH connection.

Solution

Configure the SSH timeout: 3 or less

hostname(config)#ip ssh authentication-retries [<em>3</em>]

Impact:

Organizations should implement a security policy limiting the number of authentication attempts for network administrators and enforce the policy through the 'ip ssh authentication-retries' command.

See Also

https://workbench.cisecurity.org/benchmarks/12917

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1)

Plugin: Cisco

Control ID: 83f9e799254ee77a6515f62365a0bd2e0ff032a35b467b94b7077b40f30f8b6f