6.10.1.4 Ensure SSH Rate Limit is Configured

Information

SSH connections should be limited.

Rationale:

SSH is a common management protocol, so is often targeted by attackers trying to gain access to routers or execute Denial of Service (DoS) attacks.

To limit the effectiveness of DoS and Brute Force attacks targeting the JUNOS Device using the SSH service, rate limiting should be used to restrict the maximum number of new connections per second.

Any sessions attempted once this limit is reached will be rejected. A maximum limit 4 new sessions per second is recommended for most environments.

Solution

To restrict concurrent SSH connections, issue the following command from the [edit system] hierarchy;

[edit system]
user@host#set services ssh rate-limit <limit>

Default Value:

Up to 150 new sessions per second are accepted by default on most current platforms.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), CSCv7|11.5

Plugin: Juniper

Control ID: 1ecde3579b4b51f954d958059eac7b50b12f712abfc453f30d9718fac00d025c