2.1.1.1.5 Set maximimum value for 'ip ssh authentication-retries'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The number of retries before the SSH login session disconnects.

Rationale:

This limits the number of times an unauthorized user can attempt a password without having to establish a new SSH login attempt. This reduces the potential for success during online brute force attacks by limiting the number of login attempts per SSH connection.

Solution

Configure the SSH timeout:


hostname(config)#ip ssh authentication-retries [3]

Impact:

Organizations should implement a security policy limiting the number of authentication attempts for network administrators and enforce the policy through the 'ip ssh authentication-retries' command.

Default Value:

SSH is not enabled by default. When set, the default value is 3.

References:

http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-i3.html#GUID-5BAC7A2B-0A25-400F-AEE9-C22AE08513C6

See Also

https://workbench.cisecurity.org/files/2585