NET1645 - SSH session timeout is not 60 seconds or less

Information

The network element must be configured to timeout after 60 seconds or less for incomplete or broken SSH sessions.

An attacker may attempt to connect to the device using SSH by guessing the authentication method, encryption algorithm, and keys. Limiting the amount of time allowed for authenticating and negotiating the SSH session reduces the window of opportunity for the malicious user attempting to make a connection to the network element.

Solution

Configure the network element so it will require a secure shell timeout of 60 seconds or less.

See Also

https://iasecontent.disa.mil/stigs/zip/U_Network_Perimeter_Router_L3_Switch_V8R32_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-12, CAT|II, CSCv6|16.4, Rule-ID|SV-5612r4_rule, STIG-ID|NET1645, Vuln-ID|V-5612

Plugin: Cisco

Control ID: 907850b47f818d53152334203fc398c6cd936fcab11b347573c485facf20652f