6.10.1.3 Ensure SSH Connection Limit is Set

Information

SSH connections should be limited.

Rationale:

SSH is a common management protocol, so is often targeted by attackers trying to gain access to routers or execute Denial of Service (DoS) attacks.

To limit the effectiveness of DoS and Brute Force attacks targeting the JUNOS device using the SSH service the maximum number of concurrent connections should be limited. Any sessions attempted once this limit is reached will be rejected. A maximum limit of 10 concurrent sessions is recommended for most environments.

Solution

To restrict concurrent SSH connections, issue the following command from the [edit system services ssh] hierarchy:

[edit system services ssh]
user@host#set connection-limit <limit>

NOTE - On some platforms the maximum configuration connection limit may be significantly lower than 10, for example, on an SRX110 the connection limit can be set to a value between 1 and 3.

Default Value:

Up to 75 concurrent sessions are accepted by default on most current platforms.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), CSCv7|11.5

Plugin: Juniper

Control ID: 87d6b53239fd0d652a68fe0e7f022a26bb7c431088c88b00d1481627bad4a899