2.1.1.1.5 Set maximimum value for 'ip ssh authentication-retries'

Information

The number of retries before the SSH login session disconnects.

Rationale:

This limits the number of times an unauthorized user can attempt a password without having to establish a new SSH login attempt. This reduces the potential for success during online brute force attacks by limiting the number of login attempts per SSH connection.

Impact:

Organizations should implement a security policy limiting the number of authentication attempts for network administrators and enforce the policy through the 'ip ssh authentication-retries' command.

Solution

Configure the SSH timeout:

hostname(config)#ip ssh authentication-retries [<em>3</em>]

Default Value:

SSH is not enabled by default. When set, the default value is 3.

See Also

https://workbench.cisecurity.org/files/3801

Item Details

Category: ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|AC-17, 800-53|SC-7, 800-53|SI-4, CSCv7|16

Plugin: Cisco

Control ID: d7540e50596a53e1acd17354db53a62353639ff1feb0f184fb06288f6d280783