4.2.20 Ensure SSH LoginGraceTime is set to one minute or less

Information

The LoginGraceTime parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate organizational limits to ensure the service is available for needed access.

Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy.

Solution

Edit the /etc/ssh/sshd_config file to set the parameter above any Include entries as follows:

LoginGraceTime 60

Note: First occurrence of a option takes precedence, Match set statements withstanding. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location.

See Also

https://workbench.cisecurity.org/benchmarks/13775

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2

Plugin: Unix

Control ID: 36773a1094cca6ce5e925cb124afaa86769d792ee4d98f32d4440d2feb5fc614