5.2.16 Ensure SSH MaxAuthTries is set to 4 or less

Information

The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure.

Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy.

Solution

Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the MaxAuthTries parameter as follows:

MaxAuthTries 4

Run the following command to comment out any MaxAuthTries parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting greater than 4 :

# grep -Pi '^h*maxauthtriesh+([5-9]|[1-9][0-9]+)' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | while read -r l_out; do sed -ri "/^s*maxauthtriess+([5-9]|[1-9][0-9]+)/s/^/# /" "$(awk -F: '{print $1}' <<< $l_out)";done

See Also

https://workbench.cisecurity.org/files/4239