The number of retries before the SSH login session disconnects. Rationale: This limits the number of times an unauthorized user can attempt a password without having to establish a new SSH login attempt. This reduces the potential for success during online brute force attacks by limiting the number of login attempts per SSH connection.
Solution
Configure the SSH timeout: hostname(config)#ip ssh authentication-retries [3] Impact: Organizations should implement a security policy limiting the number of authentication attempts for network administrators and enforce the policy through the 'ip ssh authentication-retries' command. Default Value: SSH is not enabled by default. When set, the default value is 3. References: http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-i3.html#GUID-5BAC7A2B-0A25-400F-AEE9-C22AE08513C6