1.2.6 Set the Maximum Number of VTY Sessions

Information

This sets the maximum number of remote administrative sessions, which in most environments means the maximum number of SSH sessions.

Rationale:

This setting prevents an attacker from a resource-exhaustion attack using protocol such as SSH. If there is no limit, an attacker could simply create SSH sessions and leave them in place until the NX-OS host resources (memory) would be exhausted. This is not a practical attack against NX-OS however, as the default value for this setting is 32, and the maximum is only 64.

Setting this value to something other than the default (32) ensures that it shows in the configuration, so that administrators understand what this value is both during regular administration or during an attack.

Impact:

Whatever this value is set to, an attacker can exhaust all SSH sessions so that a legitimate administrator cannot connect remotely. This is a reasonable thing for an attacker to do if they have an attack in progress and want to deny administrators access to the NX-OS platform, which they may need to do to thwart an in-progress attack.

Solution

switch(config)# line vty
switch(config)# session-limit 16

Default Value:

The default value for this setting is 32 sessions. If set to this value, the setting is not shown in the running or saved configuration.

See Also

https://workbench.cisecurity.org/benchmarks/6524

Item Details

Category: CONFIGURATION MANAGEMENT, MAINTENANCE

References: 800-53|CM-7, 800-53|MA-4, CSCv7|4.9, CSCv7|11.1, CSCv7|12.11

Plugin: Cisco

Control ID: c61f2459c3f627053c91b92dd6cacbd688ad33b71c1b503c7dbd89ba2d87ed5b