Information
The LoginGraceTime parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate organizational limits to ensure the service is available for needed access.
Rationale:
Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy.
Solution
Edit the /etc/ssh/sshd_config file to set the parameter as follows:
LoginGraceTime 60
Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the LoginGraceTime parameter as follows:
LoginGraceTime 60
-or-
LoginGraceTime 1m
Run the following command to comment out any LoginGraceTime parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting equal to 0 or greater than 60 seconds:
# grep -Pi '^s*LoginGraceTimes+(0|6[1-9]|[7-9][0-9]|[1-9][0-9][0-9]+|[^1]m)' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | while read -r l_out; do sed -ri '/^s*LoginGraceTimes+(0|6[1-9]|[7-9][0-9]|[1-9][0-9][0-9]+|[^1]m)/s/^/# /' '$(awk -F: '{print $1}' <<< $l_out)';done
Default Value:
LoginGraceTime 120