2.1.1.1.5 Set maximimum value for 'ip ssh authentication-retries'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The number of retries before the SSH login session disconnects.

Rationale:

This limits the number of times an unauthorized user can attempt a password without having to establish a new SSH login attempt. This reduces the potential for success during online brute force attacks by limiting the number of login attempts per SSH connection.

Impact:

Organizations should implement a security policy limiting the number of authentication attempts for network administrators and enforce the policy through the 'ip ssh authentication-retries' command.

Solution

Configure the SSH timeout:

hostname(config)#ip ssh authentication-retries [<em>3</em>]

Default Value:

SSH is not enabled by default. When set, the default value is 3.

See Also

https://workbench.cisecurity.org/files/3801